diff --git a/CHANGES b/CHANGES
index 782215378..f2ae2175c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2007,4 +2007,5 @@
 
 [5.4.0]
 * redis: Set maxmemory and maxmemory-policy
+* Add mlock capability to manifest (for vault app)
 
diff --git a/package-lock.json b/package-lock.json
index 7f6f91cdc..ccd11db36 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -741,9 +741,9 @@
       }
     },
     "cloudron-manifestformat": {
-      "version": "5.3.0",
-      "resolved": "https://registry.npmjs.org/cloudron-manifestformat/-/cloudron-manifestformat-5.3.0.tgz",
-      "integrity": "sha512-KMHTtR/oRnMzqTUzY1706xpYA1PrvmwIenC8HrigJhOYQdeMLv7egg1Eg0QIB1bfxKIhb+1Zc2i48HKE7MQGkg==",
+      "version": "5.4.0",
+      "resolved": "https://registry.npmjs.org/cloudron-manifestformat/-/cloudron-manifestformat-5.4.0.tgz",
+      "integrity": "sha512-MpgAMpBm3k14bH3lLaCUzcBtgC458Qx75blORHqTxJ83aGJp4P7+YYM/ABVGHVD0842OcR3JvQlCUT7+4cs6Cg==",
       "requires": {
         "cron": "^1.8.2",
         "java-packagename-regex": "^1.0.0",
diff --git a/package.json b/package.json
index 40a2f04e6..4ba4ad7b4 100644
--- a/package.json
+++ b/package.json
@@ -20,7 +20,7 @@
     "async": "^2.6.3",
     "aws-sdk": "^2.685.0",
     "body-parser": "^1.19.0",
-    "cloudron-manifestformat": "^5.3.0",
+    "cloudron-manifestformat": "^5.4.0",
     "connect": "^3.7.0",
     "connect-lastmile": "^2.0.0",
     "connect-timeout": "^1.9.0",
diff --git a/src/docker.js b/src/docker.js
index 4c3d5f055..592007104 100644
--- a/src/docker.js
+++ b/src/docker.js
@@ -306,6 +306,7 @@ function createSubcontainer(app, name, cmd, options, callback) {
                 Dns: ['172.18.0.1'], // use internal dns
                 DnsSearch: ['.'], // use internal dns
                 SecurityOpt: [ 'apparmor=docker-cloudron-app' ],
+                CapAdd: [],
                 CapDrop: [ 'NET_RAW' ] // https://docs-stage.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
             },
             NetworkingConfig: {
@@ -318,11 +319,8 @@ function createSubcontainer(app, name, cmd, options, callback) {
         };
 
         var capabilities = manifest.capabilities || [];
-        if (capabilities.includes('net_admin')) {
-            containerOptions.HostConfig.CapAdd = [
-                'NET_ADMIN', 'NET_RAW'
-            ];
-        }
+        if (capabilities.includes('net_admin')) containerOptions.HostConfig.CapAdd.push('NET_ADMIN', 'NET_RAW');
+        if (capabilities.includes('mlock')) containerOptions.HostConfig.CapAdd.push('IPC_LOCK'); // mlock prevents swapping
 
         containerOptions = _.extend(containerOptions, options);