diff --git a/modules/templates/helper.go b/modules/templates/helper.go
index 2720ab76dc..e5f42943ac 100644
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@@ -475,6 +475,9 @@ func NewFuncMap() []template.FuncMap {
 		"RefShortName": func(ref string) string {
 			return git.RefName(ref).ShortName()
 		},
+		"Shadow": func(s string) string {
+			return "******"
+		},
 	}}
 }
 
diff --git a/routers/init.go b/routers/init.go
index 5d700792b4..65bb0fc6c3 100644
--- a/routers/init.go
+++ b/routers/init.go
@@ -48,6 +48,7 @@ import (
 	pull_service "code.gitea.io/gitea/services/pull"
 	repo_service "code.gitea.io/gitea/services/repository"
 	"code.gitea.io/gitea/services/repository/archiver"
+	secret_service "code.gitea.io/gitea/services/secrets"
 	"code.gitea.io/gitea/services/task"
 	"code.gitea.io/gitea/services/webhook"
 )
@@ -151,6 +152,8 @@ func GlobalInitInstalled(ctx context.Context) {
 	mustInit(models.Init)
 	mustInit(repo_service.Init)
 
+	mustInit(secret_service.Init)
+
 	// Booting long running goroutines.
 	issue_indexer.InitIssueIndexer(false)
 	code_indexer.Init()
diff --git a/routers/web/repo/setting.go b/routers/web/repo/setting.go
index c479008736..6836f8eed8 100644
--- a/routers/web/repo/setting.go
+++ b/routers/web/repo/setting.go
@@ -45,8 +45,8 @@ import (
 	mirror_service "code.gitea.io/gitea/services/mirror"
 	org_service "code.gitea.io/gitea/services/org"
 	repo_service "code.gitea.io/gitea/services/repository"
-	wiki_service "code.gitea.io/gitea/services/wiki"
 	secret_service "code.gitea.io/gitea/services/secrets"
+	wiki_service "code.gitea.io/gitea/services/wiki"
 )
 
 const (
@@ -1114,19 +1114,38 @@ func DeployKeys(ctx *context.Context) {
 	}
 	ctx.Data["Deploykeys"] = keys
 
-	tokens, err := secret_service.FindRepoSecrets(ctx, ctx.Repo.Repository.ID)
+	secrets, err := secret_service.FindRepoSecrets(ctx, ctx.Repo.Repository.ID)
 	if err != nil {
 		ctx.ServerError("FindRepoSecrets", err)
 		return
 	}
-	ctx.Data["Tokens"] = tokens
+	ctx.Data["Secrets"] = secrets
 
 	ctx.HTML(http.StatusOK, tplDeployKeys)
 }
 
+// SecretsPost
+func SecretsPost(ctx *context.Context) {
+	form := web.GetForm(ctx).(*forms.AddKeyForm)
+	if err := secret_service.InsertRepoSecret(ctx, ctx.Repo.Repository.ID, form.Title, form.Content, form.PullRequestRead); err != nil {
+		ctx.ServerError("InsertRepoSecret", err)
+		return
+	}
+
+	log.Trace("Secret added: %d", ctx.Repo.Repository.ID)
+	ctx.Flash.Success(ctx.Tr("repo.settings.add_key_success", form.Title))
+	ctx.Redirect(ctx.Repo.RepoLink + "/settings/keys")
+}
+
 // DeployKeysPost response for adding a deploy key of a repository
 func DeployKeysPost(ctx *context.Context) {
+	if ctx.FormString("act") == "secret" {
+		SecretsPost(ctx)
+		return
+	}
+
 	form := web.GetForm(ctx).(*forms.AddKeyForm)
+
 	ctx.Data["Title"] = ctx.Tr("repo.settings.deploy_keys")
 	ctx.Data["PageIsSettingsKeys"] = true
 	ctx.Data["DisableSSH"] = setting.SSH.Disabled
@@ -1185,8 +1204,25 @@ func DeployKeysPost(ctx *context.Context) {
 	ctx.Redirect(ctx.Repo.RepoLink + "/settings/keys")
 }
 
+func DeleteSecret(ctx *context.Context) {
+	if err := secret_service.DeleteSecretByID(ctx, ctx.FormInt64("id")); err != nil {
+		ctx.Flash.Error("DeleteSecretByID: " + err.Error())
+	} else {
+		ctx.Flash.Success(ctx.Tr("repo.settings.deploy_key_deletion_success"))
+	}
+
+	ctx.JSON(http.StatusOK, map[string]interface{}{
+		"redirect": ctx.Repo.RepoLink + "/settings/keys",
+	})
+}
+
 // DeleteDeployKey response for deleting a deploy key
 func DeleteDeployKey(ctx *context.Context) {
+	if ctx.FormString("act") == "secret" {
+		DeleteSecret(ctx)
+		return
+	}
+
 	if err := asymkey_service.DeleteDeployKey(ctx.Doer, ctx.FormInt64("id")); err != nil {
 		ctx.Flash.Error("DeleteDeployKey: " + err.Error())
 	} else {
diff --git a/services/forms/user_form.go b/services/forms/user_form.go
index 7c063945ad..0add17967e 100644
--- a/services/forms/user_form.go
+++ b/services/forms/user_form.go
@@ -351,13 +351,14 @@ func (f *AddOpenIDForm) Validate(req *http.Request, errs binding.Errors) binding
 
 // AddKeyForm form for adding SSH/GPG key
 type AddKeyForm struct {
-	Type        string `binding:"OmitEmpty"`
-	Title       string `binding:"Required;MaxSize(50)"`
-	Content     string `binding:"Required"`
-	Signature   string `binding:"OmitEmpty"`
-	KeyID       string `binding:"OmitEmpty"`
-	Fingerprint string `binding:"OmitEmpty"`
-	IsWritable  bool
+	Type            string `binding:"OmitEmpty"`
+	Title           string `binding:"Required;MaxSize(50)"`
+	Content         string `binding:"Required"`
+	Signature       string `binding:"OmitEmpty"`
+	KeyID           string `binding:"OmitEmpty"`
+	Fingerprint     string `binding:"OmitEmpty"`
+	IsWritable      bool
+	PullRequestRead bool
 }
 
 // Validate validates the fields
@@ -366,6 +367,19 @@ func (f *AddKeyForm) Validate(req *http.Request, errs binding.Errors) binding.Er
 	return middleware.Validate(errs, ctx.Data, f, ctx.Locale)
 }
 
+// AddSecretForm for adding secrets
+type AddSecretForm struct {
+	Title           string `binding:"Required;MaxSize(50)"`
+	Content         string `binding:"Required"`
+	PullRequestRead bool
+}
+
+// Validate validates the fields
+func (f *AddSecretForm) Validate(req *http.Request, errs binding.Errors) binding.Errors {
+	ctx := context.GetContext(req)
+	return middleware.Validate(errs, ctx.Data, f, ctx.Locale)
+}
+
 // NewAccessTokenForm form for creating access token
 type NewAccessTokenForm struct {
 	Name string `binding:"Required;MaxSize(255)"`
diff --git a/templates/repo/settings/secrets.tmpl b/templates/repo/settings/secrets.tmpl
index dd1f75b5af..9a5d1e85bf 100644
--- a/templates/repo/settings/secrets.tmpl
+++ b/templates/repo/settings/secrets.tmpl
@@ -8,7 +8,7 @@
 		</h4>
 		<div class="ui attached segment">
 			<div class="{{if not .HasError}}hide{{end}} mb-4" id="add-secret-panel">
-				<form class="ui form" action="{{.Link}}" method="post">
+				<form class="ui form" action="{{.Link}}?act=secret" method="post">
 					{{.CsrfTokenHtml}}
 					<div class="field">
 						{{.locale.Tr "repo.settings.secret_desc"}}
@@ -23,7 +23,7 @@
 					</div>
 					<div class="field">
 						<div class="ui checkbox {{if .Err_IsWritable}}error{{end}}">
-							<input id="ssh-key-is-writable" name="is_writable" class="hidden" type="checkbox" value="1">
+							<input id="pull_request_read" name="pull_request_read" class="hidden" type="checkbox" value="1">
 							<label for="is_writable">
 								{{.locale.Tr "repo.settings.pull_request_read"}}
 							</label>
@@ -43,20 +43,20 @@
 					{{range .Secrets}}
 						<div class="item">
 							<div class="right floated content">
-								<button class="ui red tiny button delete-button" data-url="{{$.Link}}/delete" data-id="{{.ID}}">
+								<button class="ui red tiny button delete-button" data-url="{{$.Link}}/delete?act=secret" data-id="{{.ID}}">
 									{{$.locale.Tr "settings.delete_key"}}
 								</button>
 							</div>
 							<div class="left floated content">
-								<i class="tooltip{{if .HasRecentActivity}} green{{end}}" {{if .HasRecentActivity}}data-content="{{$.locale.Tr "settings.key_state_desc"}}"{{end}}>{{svg "octicon-key" 32}}</i>
+								<i class="tooltip">{{svg "octicon-key" 32}}</i>
 							</div>
 							<div class="content">
 								<strong>{{.Name}}</strong>
 								<div class="print meta">
-									{{.Fingerprint}}
+									{{Shadow .Data}}
 								</div>
 								<div class="activity meta">
-									<i>{{$.locale.Tr "settings.add_on"}} <span>{{.CreatedUnix.FormatShort}}</span> —  {{svg "octicon-info"}} {{if .HasUsed}}{{$.locale.Tr "settings.last_used"}} <span {{if .HasRecentActivity}}class="green"{{end}}>{{.UpdatedUnix.FormatShort}}</span>{{else}}{{$.locale.Tr "settings.no_activity"}}{{end}} - <span>{{$.locale.Tr "settings.can_read_info"}}{{if not .IsReadOnly}} / {{$.locale.Tr "settings.can_write_info"}} {{end}}</span></i>
+									<i>{{$.locale.Tr "settings.add_on"}} <span>{{.CreatedUnix.FormatShort}}</span> —  {{svg "octicon-info"}} - <span>{{if .PullRequest}} {{$.locale.Tr "repo.settings.pull_request_read_info"}} {{end}}</span></i>
 								</div>
 							</div>
 						</div>