diff --git a/Dockerfile b/Dockerfile
index 3a12cfe..bbd74ab 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,6 +6,7 @@
 # Build:  docker build -t berrypod .
 # Run:    docker run --rm -p 4000:4000 \
 #           -e SECRET_KEY_BASE=$(mix phx.gen.secret) \
+#           -e SECRET_KEY_DB=$(mix phx.gen.secret) \
 #           -e DATABASE_PATH=/data/berrypod.db \
 #           -e PHX_HOST=localhost \
 #           -v berrypod_data:/data \
@@ -26,8 +27,9 @@ ARG RUNNER_IMAGE="alpine:${ALPINE_VERSION}"
 
 FROM ${BUILDER_IMAGE} AS builder
 
-# Build deps: C compiler for NIFs, git for hex deps, vips-dev for image processing
-RUN apk add --no-cache build-base git vips-dev
+# Build deps: C compiler for NIFs, git for hex deps, vips-dev for image processing,
+# sqlcipher-dev for encrypted SQLite
+RUN apk add --no-cache build-base git vips-dev sqlcipher-dev
 
 WORKDIR /app
 
@@ -38,6 +40,11 @@ ENV MIX_ENV="prod"
 # Use Alpine's system libvips instead of the glibc-linked precompiled binary
 ENV VIX_COMPILATION_MODE="PLATFORM_PROVIDED_LIBVIPS"
 
+# Use system SQLCipher instead of bundled SQLite for database encryption
+ENV EXQLITE_USE_SYSTEM=1
+ENV EXQLITE_SYSTEM_CFLAGS="-I/usr/include/sqlcipher"
+ENV EXQLITE_SYSTEM_LDFLAGS="-lsqlcipher"
+
 # Install mix dependencies
 COPY mix.exs mix.lock ./
 RUN mix deps.get --only $MIX_ENV
@@ -87,7 +94,7 @@ RUN mix release
 FROM ${RUNNER_IMAGE} AS runner
 
 # Runtime deps only — no compilers, no -dev packages
-RUN apk add --no-cache libstdc++ openssl ncurses-libs vips vips-heif
+RUN apk add --no-cache libstdc++ openssl ncurses-libs vips vips-heif sqlcipher-libs
 
 WORKDIR /app
 
diff --git a/config/dev.exs b/config/dev.exs
index c533f93..8e6f96c 100644
--- a/config/dev.exs
+++ b/config/dev.exs
@@ -1,6 +1,7 @@
 import Config
 
 # Configure your database
+# Optional: set SECRET_KEY_DB to test SQLCipher encryption locally
 config :berrypod, Berrypod.Repo,
   database: Path.expand("../berrypod_dev.db", __DIR__),
   pool_size: 5,
@@ -12,6 +13,7 @@ config :berrypod, Berrypod.Repo,
   stacktrace: true,
   show_sensitive_data_on_connection_error: true
 
+
 # For development, we disable any cache and enable
 # debugging and code reloading.
 #
@@ -68,7 +70,7 @@ config :berrypod, BerrypodWeb.Endpoint,
   live_reload: [
     web_console_logger: true,
     patterns: [
-      ~r"priv/static/(?!uploads/).*(js|css|png|jpeg|jpg|gif|svg)$",
+      ~r"priv/static/(?!uploads/|mockups/).*(js|css|png|jpeg|jpg|gif|svg)$",
       ~r"priv/gettext/.*(po)$",
       ~r"lib/berrypod_web/(?:controllers|live|components|router)/?.*\.(ex|heex)$"
     ]