diff --git a/Cargo.lock b/Cargo.lock
index f3f5105e..9a752aca 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2070,7 +2070,7 @@ checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
 
 [[package]]
 name = "openpgp-dsm"
-version = "1.0.1"
+version = "1.0.2"
 dependencies = [
  "anyhow",
  "bindgen",
diff --git a/README.md b/README.md
index 7a0ee2e9..73f72fcb 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,5 @@
 sq-dsm
-========
+======
 
 This fork of [Sequoia-PGP][Sequoia] leverages
 [sdkms-client-rust][sdkms-client-rust] to perform OpenPGP operations with keys
@@ -30,7 +30,11 @@ variables need to be set in order to communicate with DSM.
   openssl pkcs12 -export -out identity.pfx -inkey private.key -in public.crt
   ```
   If a password is set for the PKCS12 file, then `sq-dsm` will ask for it on
-  each key usage (which can happen several times on one PGP operation).
+  each key usage (which can happen several times on one PGP operation), unless
+  the `FORTANIX_PKCS12_PASSPHRASE` environment variable is set (see below).
+- `FORTANIX_PKCS12_PASSPHRASE`, the passphrase to unlock the identity file
+  generated above. If the password is incorrect, `sq-dsm` will ask for it on
+  each operation.
 - `FORTANIX_APP_UUID`, the UUID of your DSM app, for certificate-based
   authentication (e.g., this environment variable is used together with
   `FORTANIX_PKCS12_ID`).
diff --git a/openpgp-dsm/Cargo.toml b/openpgp-dsm/Cargo.toml
index c78d8ab7..d7f559d0 100644
--- a/openpgp-dsm/Cargo.toml
+++ b/openpgp-dsm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "openpgp-dsm"
-version = "1.0.1"
+version = "1.0.2"
 authors = ["zugzwang <francisco.vialprado@fortanix.com>"]
 edition = "2018"
 
diff --git a/openpgp-dsm/src/lib.rs b/openpgp-dsm/src/lib.rs
index 09fff5d6..b639bde5 100644
--- a/openpgp-dsm/src/lib.rs
+++ b/openpgp-dsm/src/lib.rs
@@ -37,7 +37,7 @@ use hyper::net::HttpsConnector;
 use hyper_native_tls::native_tls::{Identity, TlsConnector};
 use hyper_native_tls::NativeTlsClient;
 use ipnetwork::IpNetwork;
-use log::info;
+use log::{info, warn};
 use sdkms::api_model::Algorithm::Rsa;
 use sdkms::api_model::{
     AgreeKeyMechanism, AgreeKeyRequest, ApprovalStatus, DecryptRequest,
@@ -96,6 +96,7 @@ const ENV_APP_UUID:       &str = "FORTANIX_APP_UUID";
 const ENV_HTTP_PROXY:     &str = "http_proxy";
 const ENV_NO_PROXY:       &str = "no_proxy";
 const ENV_P12:            &str = "FORTANIX_PKCS12_ID";
+const ENV_P12_PASS:       &str = "FORTANIX_PKCS12_PASSPHRASE";
 const MIN_DSM_VERSION:    &str = "4.2.0";
 // As seen on sdkms-client-rust/blob/master/examples/approval_request.rs
 const OP_APPROVAL_MSG:    &str = "This operation requires approval";
@@ -1855,8 +1856,16 @@ fn try_unlock_p12(cert_file: String) -> Result<Identity> {
     // Try to unlock certificate without password first
     let mut first = true;
     if let Ok(id) = Identity::from_pkcs12(&cert, "") {
-        Ok(id)
+        return Ok(id)
     } else {
+        // Try to unlock with env var passphrase
+        if let Ok(pass) = env::var(ENV_P12_PASS) {
+            if let Ok(id) = Identity::from_pkcs12(&cert, &pass) {
+                return Ok(id)
+            } else {
+                warn!("could not unlock PKCS12 identity with {:?}", ENV_P12_PASS);
+            }
+        }
         loop {
             // Prompt the user for PKCS12 password
             match rpassword::read_password_from_tty(
@@ -1869,7 +1878,7 @@ fn try_unlock_p12(cert_file: String) -> Result<Identity> {
                 Ok(p) => {
                     first = false;
                     if let Ok(id) = Identity::from_pkcs12(&cert, &p) {
-                        break Ok(id)
+                        return Ok(id)
                     }
                 },
                 Err(err) => {