diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..9270a1e
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,9 @@
+keys:
+  - &ataraxia ad382d058c964607b7bbf01b071a8131bf166e80
+  - &suomi-vps d286fd9431753cb455537070235ec7bc757002ca
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+    - pgp:
+      - *ataraxia
+      - *suomi-vps
diff --git a/flake.nix b/flake.nix
index b6af6c2..7e2bc07 100644
--- a/flake.nix
+++ b/flake.nix
@@ -76,6 +76,10 @@
       url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     vscode-server = {
       url = "github:msteen/nixos-vscode-server";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -116,7 +120,7 @@
       "vaultwarden.patch"
       "webhooks.patch"
     ];
-    sharedOverlays = [ flake-utils-plus.overlay ];
+    sharedOverlays = [ flake-utils-plus.overlay inputs.sops-nix.overlays.default ];
     channelsConfig = { allowUnfree = true; android_sdk.accept_license = true; };
     channels.unstable.input = nixpkgs;
     channels.unstable.patches = patchesPath [ "zen-kernels.patch" "ydotoold.patch" ] ++ sharedPatches;
@@ -196,6 +200,15 @@
             nix-eval-jobs jq
           ];
         };
+        sops = {
+          name = "sops";
+          sopsPGPKeyDirs = [
+            "${toString ./.}/keys/hosts"
+            "${toString ./.}/keys/users"
+          ];
+          sopsCreateGPGHome = true;
+          packages = with pkgs; [ ssh-to-pgp sops sops-import-keys-hook ];
+        };
       };
       packages = {
         Flakes-ISO = nixos-generators.nixosGenerate {
diff --git a/keys/hosts/suomi-vps.asc b/keys/hosts/suomi-vps.asc
new file mode 100644
index 0000000..2d87346
--- /dev/null
+++ b/keys/hosts/suomi-vps.asc
@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEAC1ZvLuhlCgsJpHCdaz5oUf5mhFQ88y9nh5sEcL35cEi7b9lR28
+oijbMoIppB/q5v3Lf9MChCcKkyXMPvTQIi9uEPXUGDJBu0Layl6nPgwMqf0vZ728
+h+0nUNe0qCrT6tFRH9Z3EnXS9370V7KZCbqaynVag5aaeB8wmALTNsRVWEfVYKyh
+kliKcahMfh1kl9PGZG4p4IFuYtUcA9yY8xgKzvfvRiAauzRFh5RqYpaSiJIYqMdr
+CTuiQqU0LoEM1It2X+NfVLNoU+oNMS0QeS55malqXEILlQKlvziYc1IWhMjqlBlm
+/e4yw1by87zBiHLIt4ALBfkbFscSXN83GwKT/cCJwrP4G+IeJp9tm8/bSaEuuBrm
+zPxEWcmdMq/qDh67YcdVybn6glPmY2pI0sNKdzsLbkNLoFFjD94wPHok43722NJ2
+BtbPWiWrLrda4miknFfFvLvY0hZRDLwfuNVRC5+HYwvwlG4C85fWfueCsmqOHJAN
+x+xV51hbDYoDoIyXvaL9K/xTontYDGR4oNUpaO+EI3l6npv81ChSqXkMxiuUtR1A
+0ktWUIzpQRV4dZzxY3Q9sC7djCP1xjUDHlSjmWFxi++WMt8bTFLOHNd3y2uWJQVF
+imTWysYyZ3gqs+GQ6VUzLKkYRnbVqtdKKrnvDa/pIzlVvJtpn/CZUz15swARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQI17HvHVwAsoCGw8CGQEAADCtEACX/NfWWjIJjPi1LFPEYQHb
+BHeOj6BDhQ7bPVs0IR9twNMq3lj3CyWPZ5tIKesQ7ec8fTngdVRF5Jjkb1UgENhn
+dVGWHtIVVRpvIdup6s8NRx3PRsHUp98Ly3+P+RkwoT+3ZY45xleZeCEgFU852Lfp
+LViaj0xT2wtiNMGTdAVSkjt0+ZuB89y+91YLFLQvtASPCqg5Myc4184PEdUbfGh1
+4kZJK/lFIQvXEKpreYCp6/mGj9arEuRno/KRG0pW5HS1fuGNYkKT96WSDE51Ofzb
+1ihFcuEx7upJbCeUNnLvt1GaWez3hudCruwS8Cdnn6IafHIUBys0EnOXV99SFGQX
+akvB22gWAAWcBdDlNyTzxPRaQEjgB9OxM9NIgSRLIUDPbdBlSAXFey5Nt/hL0bQE
+J448uRgCwMmEXBc5butZ26bXKCbfJ4ZyTUPV6hRb0uiKFR1IecxhLVxn715pYrWm
+MfiKrj3G+rDFKmCBXhqlEFC0TQdZoue+AxxBAzB9MTqRO2GhC35t1Tg1crwKflLd
+rEBx2bYa1OOMIPfZePAA96X+LaXhkJYlhaPCP4R9oxErrPLBO3Ki7NPpJG0c+272
++xnjaBfd1fapmVLYdSQNhT4QfOPm1YDLyHQCJi3oK+7eRX6rLMiLtQbwhWoJ9c3N
+JrpEiuMuhfru+fFCIiyoQw==
+=/C2a
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff --git a/keys/users/ataraxia.asc b/keys/users/ataraxia.asc
new file mode 100644
index 0000000..15f7810
--- /dev/null
+++ b/keys/users/ataraxia.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsBNBAAAAAABCACYSL78uXx0m7SSLSfc5Dz27nDT+0uU/wjkTICrF0jqkcKVRoYw
+ExteYzjINj8FqcxYGA5BHz72uUM653xCeVua31cU0WnjD+zUNfSaulQRROJMDeiR
+Lf5LpTnuAhYA5O9TAL47l/2j2CKnWh6jE8qn5Lt6RCXDbv2rGHnm5+6uJYvTMohq
+XbtfLbBGbBrczPL9WFda2aiv5B6AVSVA1YoPFpRX2gJqJKVgLpHjMTit/Lr3cvom
+sEC8bFCAVomAjAotym05OVl6kIex4jwoSv2Yxhizhu7TO9NxeunNduI7xD3oCc2X
+XUQoz6ASY5PFpbq7FkIQz2OLm41inxZlbv0lABEBAAHNKXJvb3QgKEltcG9ydGVk
+IGZyb20gU1NIKSA8cm9vdEBsb2NhbGhvc3Q+wsBiBBMBCAAWBQIAAAAACRAHGoEx
+vxZugAIbDwIZAQAAWJ8IADm/PZre00BcoVU2dQZy/H1SMrUVBZdYoBsYBRCm6Fh4
+s8Wi+bvpI/4BN7FUAsu8WwY32XnNrVvJLBeKZYPTJlHcQyDY18eeOgUX2bsrT6vx
+0QqDM4XauELtzxixCUADsvHM0EX1TrmA55f9AvCWASFuPARbKLWYtEx1O39DMi26
+N8eaePKvRHnpNzAYIeVlXP25ZoYRtVffDdFJgWYiiLgHsn9NSBRmon2wZuZG/mdh
+f1YzYibIFPAm8RVJhDjbsZMiWSFx+86jZEcG1DjJZQ4dJwfUsx4Q9cKHlX16ikPn
+nlO4mnO8z1TPCczm8W4/lIjBsM/fLRK/er6uruOThkw=
+=j5e1
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff --git a/profiles/workspace/misc.nix b/profiles/workspace/misc.nix
index 036574a..3f7f54c 100644
--- a/profiles/workspace/misc.nix
+++ b/profiles/workspace/misc.nix
@@ -59,6 +59,7 @@ with config.deviceSpecific; {
   persist.state.homeDirectories = [
     "projects"
     "nixos-config"
+    ".config/sops"
   ] ++ lib.optionals (!isServer) [
     "games"
     # "persist"