diff --git a/services/terraform/self-host/.gitignore b/services/terraform/self-host/.gitignore
--- a/services/terraform/self-host/.gitignore
+++ b/services/terraform/self-host/.gitignore
@@ -1,3 +1,7 @@
+# User-specific files
+.sops.yaml
+keyserver_secrets.json
+
 # Local .terraform directories
 **/.terraform/*
 
diff --git a/services/terraform/self-host/main.tf b/services/terraform/self-host/main.tf
--- a/services/terraform/self-host/main.tf
+++ b/services/terraform/self-host/main.tf
@@ -7,6 +7,16 @@
   }
 }
 
+provider "sops" {}
+
+data "sops_file" "keyserver_secrets_json" {
+  source_file = "keyserver_secrets.json"
+}
+
+locals {
+  secrets = jsondecode(data.sops_file.keyserver_secrets_json.raw)
+}
+
 provider "aws" {
   region = "us-east-2"
 
diff --git a/services/terraform/self-host/providers.tf b/services/terraform/self-host/providers.tf
--- a/services/terraform/self-host/providers.tf
+++ b/services/terraform/self-host/providers.tf
@@ -4,5 +4,10 @@
       source  = "hashicorp/aws"
       version = "~> 5.7.0"
     }
+
+    sops = {
+      source  = "carlpett/sops"
+      version = "0.7.2"
+    }
   }
 }