diff --git a/rootfs/etc/confd/templates/proftpd.conf.tmpl b/rootfs/etc/confd/templates/proftpd.conf.tmpl
index 8fd5867..016f399 100644
--- a/rootfs/etc/confd/templates/proftpd.conf.tmpl
+++ b/rootfs/etc/confd/templates/proftpd.conf.tmpl
@@ -18,6 +18,23 @@ PassivePorts {{getenv "PASSIVE_LOWER_BOUND"}} {{getenv "PASSIVE_UPPER_BOUND"}}
   DenyAll
 </Limit>
 
+<IfModule mod_tls.c>
+    TLSEngine on
+    TLSProtocol TLSv1.2
+    TLSRequired on
+
+    TLSRSACertificateFile /etc/ssl/proftp/fullchain.pem
+    TLSRSACertificateKeyFile /etc/ssl/proftp/provkey.pem
+
+    # CA the server trusts
+    TLSCACertificateFile /etc/ftpd/root.cert.pem
+
+    TLSVerifyClient off
+    TLSServerCipherPreference on
+    TLSSessionCache internal: 1800
+    TLSCipherSuite AES128+EECDH:AES128+EDH
+</IfModule>
+
 <IfModule mod_ldap.c>
     AuthOrder mod_ldap.c