diff --git a/pkg/notifier/shared.go b/pkg/notifier/shared.go
index d72b4b9a..c1838eb6 100644
--- a/pkg/notifier/shared.go
+++ b/pkg/notifier/shared.go
@@ -2,6 +2,9 @@ package notifier
 
 import (
 	context "context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
 
 	"github.com/hashicorp/go-plugin"
 	grpc "google.golang.org/grpc"
@@ -70,3 +73,17 @@ func GetHandshakeConfig() plugin.HandshakeConfig {
 func GetPluginMap() map[string]plugin.Plugin {
 	return map[string]plugin.Plugin{"plugin": &GRPCNotifier{}}
 }
+
+func GetSecureConfig(checksum string) (*plugin.SecureConfig, error) {
+	sum, err := hex.DecodeString(checksum)
+	if err != nil {
+		return nil, fmt.Errorf("checksum is not a valid hex string")
+	}
+
+	hash := sha256.New()
+	if len(sum) != hash.Size() {
+		return nil, fmt.Errorf("expected checksum of length %d; got %d", hash.Size()*2, len(sum)*2)
+	}
+
+	return &plugin.SecureConfig{Checksum: sum, Hash: sha256.New()}, nil
+}
diff --git a/pkg/sidecar/sidecar.go b/pkg/sidecar/sidecar.go
index 0f302f49..a42b475c 100644
--- a/pkg/sidecar/sidecar.go
+++ b/pkg/sidecar/sidecar.go
@@ -133,6 +133,24 @@ func (s *Sidecar) signalProcess() (err error) {
 
 func (s *Sidecar) loadPlugins() {
 	for pluginName, pluginConfig := range s.config.Plugins {
+		pluginPath := pluginConfig["path"]
+		if pluginPath == "" {
+			s.config.Log.Warnf("Please provide a path for plugin %s", pluginName)
+			continue
+		}
+
+		checksum := pluginConfig["checksum"]
+		if checksum == "" {
+			s.config.Log.Warnf("Please provide a checksum for plugin %s", pluginName)
+			continue
+		}
+
+		secureConfig, err := pb.GetSecureConfig(checksum)
+		if err != nil {
+			s.config.Log.Warnf("Error while trying to create secure config for plugin %s", pluginName)
+			continue
+		}
+
 		request := &pb.ConfigsRequest{}
 		request.Configs = pluginConfig
 		request.Configs["certDir"] = s.config.CertDir
@@ -141,17 +159,12 @@ func (s *Sidecar) loadPlugins() {
 		request.Configs["svidKeyFileName"] = s.config.SvidKeyFileName
 		request.Configs["svidBundleFileName"] = s.config.SvidBundleFileName
 
-		pluginPath := pluginConfig["path"]
-		if pluginPath == "" {
-			s.config.Log.Warnf("Please provide a path for plugin %s", pluginName)
-			continue
-		}
-
 		client := plugin.NewClient(&plugin.ClientConfig{
 			HandshakeConfig:  pb.GetHandshakeConfig(),
 			Plugins:          pb.GetPluginMap(),
 			Cmd:              exec.Command(pluginPath),
 			AllowedProtocols: []plugin.Protocol{plugin.ProtocolGRPC},
+			SecureConfig:     secureConfig,
 		})
 
 		RPCClient, err := client.Client()