diff --git a/archrepo/.sops.yaml b/archrepo/.sops.yaml
new file mode 100644
index 0000000..2fc872c
--- /dev/null
+++ b/archrepo/.sops.yaml
@@ -0,0 +1,4 @@
+creation_rules:
+  - path_regex: '.*.yaml'
+    encrypted_regex: '^(data|stringData)$'
+    pgp: A638A6B54530D54E868F9D3238736C662F799E0D
diff --git a/archrepo/kustomization.yaml b/archrepo/kustomization.yaml
index 9ff41cf..4b3896c 100644
--- a/archrepo/kustomization.yaml
+++ b/archrepo/kustomization.yaml
@@ -11,6 +11,7 @@ resources:
   - deploy.archrepo.yaml
   - svc.archrepo.yaml
   - ing.archrepo.yaml
+  - secret.yaml
 
 configMapGenerator:
   - name: archrepo-config
diff --git a/archrepo/secret.yaml b/archrepo/secret.yaml
new file mode 100644
index 0000000..496ecec
--- /dev/null
+++ b/archrepo/secret.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+    name: archrepo-secret
+data:
+    MINIO_ACCESSKEY: ENC[AES256_GCM,data:HohNXazNex0=,iv:7Bihixq62Ear9vAQTi7GXt20FVDO5q/kP43tTJJ0DoY=,tag:NLWxDWNJobFYHXEvdH3HsA==,type:str]
+    MINIO_SECRETKEY: ENC[AES256_GCM,data:7IzOVifmba1gLJ5TDS+YzWO3donWSo4bXIA9KdKyohc=,iv:2dkoHDohtZFqdEMveJydoF1xDvS/vG9ZAH6I5IOwctU=,tag:HMeYjveFkBI1JiapNl7JFA==,type:str]
+sops:
+    lastmodified: "2025-07-30T07:04:07Z"
+    mac: ENC[AES256_GCM,data:06NDrBI6zC34NwsdsSY59fea9jHqYlBTl4u/TvNAvb3XeE4Ce3RW7ExKCQ4AJiX6S5OJzGHeLIkJNfvwikTwlBzHAeNh+AFiYafykFlgNoVx/8rTCWUmCMIVj/MTTks/i1+NfaJyyc37CAjDtYrRhNh/TBfi6BYbECK8fu3g1oc=,iv:uz6Y81c8wV2hv4U93lJjfBEmocaOCOkemXzaVvUIYhg=,tag:z+JE4O0XuDpJT4Qlq654ng==,type:str]
+    pgp:
+        - created_at: "2025-07-30T07:04:07Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA+nT7MSlwYOAAQ/8C66KpJoBcapNJaWi4/gjWR+IcugdAXAjWxU8Cjf4nu9t
+            uuWudV4J4hW/3pRWXxLV3MIbKwk6uA8Hg1ol1s1igx/epjdkHAK0IdWG51WSxkRG
+            dAJThIyoL1bnbnK12XIB/yNXb5StwHzD3KVq4Az9PpBAsTJSKKrvfEM3d5oVL3jr
+            sRIN4p0lA4vq1ED0VPZUGjHWQPEYBa+tAaQPdfLSM91dvklkWw3+gybH6mj4XD0m
+            +AcycOAkgmtwq2FB9C3rYYpOhz6CfdX8+Wz5yRRTQ0akJR/8tC5Naj6SACc9dabo
+            CQ/4EKyjNP2XKVmKc75qVrgVMgPSzuVmnqQ7wOo9QPjUKkWeeeljcOS2cXH6J71m
+            tJJCWErTEZiVvzblgVMIb2I7DVQkEA5XFXXNEaoiA61taBbwY7O1ZAujTmwGYT3B
+            vQ6dzemJKBSAjtJWN/HrXn/+7hKoE69jK1v/UifWZ6BxCXmWllsD0btypEejzZbP
+            Kc7jjnULjcY/KYtDfDjSe2IG+2fbCvw/UhMDpqRFBrob6JsW59CrKsrMz2aX9e48
+            goUkZZRrdd5+Wd7Lv645ypjmBy9V46YfYjLxUrP5OifZT/GnGPJbbQ65EIrx9PVz
+            VtA+M2oHGJ2cyQRKWaHv4mdPjxNfvJvLNreMhVmrxIdVK4sdDCRXdqYDdXEKrEDS
+            XgGbbW1dU6RQ2t8XLgBLLorRV5Y3KIwdgi3z1E4eBO5k4gMqGV9cQx+/vV7l737O
+            fJ5XVAvlhDRX2jH+TF4SJ5oH2P76KdSGBMHO70sN5+lCrMoG7tQ5HLX0t5iO86g=
+            =+XmL
+            -----END PGP MESSAGE-----
+          fp: A638A6B54530D54E868F9D3238736C662F799E0D
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
diff --git a/flux-applications/archrepo.yaml b/flux-applications/archrepo.yaml
index 64830ef..6df92c2 100644
--- a/flux-applications/archrepo.yaml
+++ b/flux-applications/archrepo.yaml
@@ -12,3 +12,7 @@ spec:
   sourceRef:
     kind: GitRepository
     name: applications
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg