diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..ad347c7
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,9 @@
+keys:
+  - &user_kenji age1cvy0fgxjn6mu0wsf9htuxmqp6mfx2f5dkmqj2kj6l46k9w8zxyfs6840tp
+  - &host_laptop age1sg27ryxp86hu55swryc6sggscan6upq7jw745lcah0djc920j9usvqcslu
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+          - *user_alice
+          - *host_laptop
diff --git a/system/security.nix b/system/security.nix
index 347b167..5e0118e 100644
--- a/system/security.nix
+++ b/system/security.nix
@@ -1,3 +1,7 @@
-{
+{pkgs, ...}: {
   security.pam.services.greetd.enableGnomeKeyring = true;
+  environment.systemPackages = with pkgs; [
+    sops
+    age
+  ];
 }