diff --git a/lib/gitlab/qa/component/gitlab.rb b/lib/gitlab/qa/component/gitlab.rb
index b0a5cadb83e3a71d209126f24ee905474f1b7bbf..2417891fe29d41c2fac4aaa2ef18c469e912a606 100644
--- a/lib/gitlab/qa/component/gitlab.rb
+++ b/lib/gitlab/qa/component/gitlab.rb
@@ -28,7 +28,8 @@ module Gitlab
                       :seed_admin_token,
                       :seed_db,
                       :skip_server_hooks,
-                      :gitaly_tls
+                      :gitaly_tls,
+                      :secrets
 
         attr_writer :name, :relative_path
 
@@ -50,10 +51,21 @@ module Gitlab
           @seed_admin_token = Runtime::Scenario.seed_admin_token
           @seed_db = Runtime::Scenario.seed_db
           @skip_server_hooks = Runtime::Scenario.skip_server_hooks
+          @secrets = []
 
           self.release = 'CE'
         end
 
+        def set_arkose_labs_keys
+          return if Runtime::Env.arkose_labs_private_key.to_s.strip.empty? ||
+            Runtime::Env.arkose_labs_public_key.to_s.strip.empty?
+
+          @omnibus_gitlab_rails_env['ARKOSE_LABS_PRIVATE_KEY'] = Runtime::Env.arkose_labs_private_key
+          @omnibus_gitlab_rails_env['ARKOSE_LABS_PUBLIC_KEY'] = Runtime::Env.arkose_labs_public_key
+          secrets << Runtime::Env.arkose_labs_private_key
+          secrets << Runtime::Env.arkose_labs_public_key
+        end
+
         def set_formless_login_token
           return if Runtime::Env.gitlab_qa_formless_login_token.to_s.strip.empty?
 
@@ -119,6 +131,7 @@ module Gitlab
         def prepare_gitlab_omnibus_config
           set_formless_login_token
           set_license_mode
+          set_arkose_labs_keys
           return if omnibus_gitlab_rails_env.empty?
 
           @omnibus_configuration << "gitlab_rails['env'] = #{@omnibus_gitlab_rails_env}"
@@ -203,7 +216,7 @@ module Gitlab
           return if commands.empty?
 
           Runtime::Logger.info("Running exec_commands...")
-          commands.each { |command| @docker.exec(name, command) }
+          commands.each { |command| @docker.exec(name, command, mask_secrets: secrets) }
         end
 
         def rails_version
@@ -263,7 +276,7 @@ module Gitlab
         end
 
         def setup_omnibus
-          @docker.write_files(name) do |f|
+          @docker.write_files(name, mask_secrets: secrets) do |f|
             f.write('/etc/gitlab/gitlab.rb', @omnibus_configuration.to_s)
           end
         end
diff --git a/lib/gitlab/qa/docker/engine.rb b/lib/gitlab/qa/docker/engine.rb
index 8d3134fcee1f4f2643290ab08178b6f7e35350de..0c41033c8a7442d83b9aff61495e2c6c82efb5af 100644
--- a/lib/gitlab/qa/docker/engine.rb
+++ b/lib/gitlab/qa/docker/engine.rb
@@ -30,7 +30,7 @@ module Gitlab
           end
         end
 
-        def run(image:, tag: nil, args: [])
+        def run(image:, tag: nil, args: [], mask_secrets: nil)
           Docker::Command.new('run', stream_output: stream_output).tap do |command|
             yield command if block_given?
 
@@ -51,6 +51,7 @@ module Gitlab
 
         # Write to file(s) in the Docker container specified by @param name
         # @param name The name of the Docker Container
+        # @param [<String, Array>] mask_secrets any secrets that should not be revealed when the content included in the file is logged.
         # @example
         #   engine.write_files('gitlab-abc123') do |files|
         #     files.append('/etc/hosts', '127.0.0.1 localhost')
@@ -58,7 +59,7 @@ module Gitlab
         #       This is content
         #       That goes within /opt/other
         #     TEXT)
-        def write_files(name)
+        def write_files(name, mask_secrets: nil)
           exec(name, yield(
             Class.new do
               # @param file The name of the file
@@ -76,13 +77,13 @@ module Gitlab
                 %(echo "#{contents}" >> #{file};)
               end
             end
-          ))
+          ), mask_secrets: mask_secrets)
         end
 
-        def exec(name, command)
+        def exec(name, command, mask_secrets: nil)
           cmd = ['exec']
           cmd << '--privileged' if privileged_command?(command)
-          Docker::Command.execute(%(#{cmd.join(' ')} #{name} bash -c "#{command.gsub('"', '\\"')}"))
+          Docker::Command.execute(%(#{cmd.join(' ')} #{name} bash -c "#{command.gsub('"', '\\"')}"), mask_secrets: mask_secrets)
         end
 
         def read_file(image, tag, path, &block)
diff --git a/lib/gitlab/qa/runtime/env.rb b/lib/gitlab/qa/runtime/env.rb
index 1223c65b982e93bed0111616b8cfd672aa2f5eb5..c5bd8be9a5fd99b760630bc089b6b0655581ed1f 100644
--- a/lib/gitlab/qa/runtime/env.rb
+++ b/lib/gitlab/qa/runtime/env.rb
@@ -168,6 +168,14 @@ module Gitlab
           qa_variables.merge(defined_variables)
         end
 
+        def arkose_labs_private_key
+          env_var_value_if_defined('ARKOSE_LABS_PRIVATE_KEY')
+        end
+
+        def arkose_labs_public_key
+          env_var_value_if_defined('ARKOSE_LABS_PUBLIC_KEY')
+        end
+
         def debug?
           enabled?(ENV['QA_DEBUG'], default: true)
         end