diff --git a/.gitignore b/.gitignore
index 234ab9a..da426b7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
 terraform.tfstate
 terraform.tfstate.backup
 *.tfvars
+sops-age-secret.yaml.example
diff --git a/kubernetes/dev/.sops.yaml b/kubernetes/dev/.sops.yaml
new file mode 100644
index 0000000..abb6258
--- /dev/null
+++ b/kubernetes/dev/.sops.yaml
@@ -0,0 +1,4 @@
+creation_rules:
+   - path_regex: .*\.sops\.yaml
+     encrypted_regex: "^(data|stringData)$"
+     age: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
diff --git a/kubernetes/flux-system/gotk-sync.yaml b/kubernetes/flux-system/gotk-sync.yaml
index 015ee7c..cacceb5 100644
--- a/kubernetes/flux-system/gotk-sync.yaml
+++ b/kubernetes/flux-system/gotk-sync.yaml
@@ -25,3 +25,7 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
diff --git a/kubernetes/flux-system/sops-age-secret.yaml.example b/kubernetes/flux-system/sops-age-secret.yaml.example
new file mode 100644
index 0000000..8cd85f0
--- /dev/null
+++ b/kubernetes/flux-system/sops-age-secret.yaml.example
@@ -0,0 +1,9 @@
+# Manual step: create this secret before Flux can decrypt SOPS files
+# kubectl create secret generic sops-age --namespace=flux-system --from-file=age.agekey=<path-to-age.key>
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sops-age
+  namespace: flux-system
+stringData:
+  age.agekey: AGE-SECRET-KEY-XXXXXXXXXXXXXXXXXXXXX