diff --git a/services/terraform/self-host/.gitignore b/services/terraform/self-host/.gitignore
index d9fafa2dc..a2332f22e 100644
--- a/services/terraform/self-host/.gitignore
+++ b/services/terraform/self-host/.gitignore
@@ -1,35 +1,39 @@
+# User-specific files
+.sops.yaml
+keyserver_secrets.json
+
 # Local .terraform directories
 **/.terraform/*
 
 # .tfstate files
 *.tfstate
 *.tfstate.*
 .terraform.lock.hcl
 
 # Crash log files
 crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
 # password, private keys, and other secrets. These should not be part of version
 # control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
 override.tf
 override.tf.json
 *_override.tf
 *_override.tf.json
 
 # Include override files you do wish to add to version control using negated pattern
 # !example_override.tf
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
 
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
diff --git a/services/terraform/self-host/main.tf b/services/terraform/self-host/main.tf
index 20746c93f..481c2e294 100644
--- a/services/terraform/self-host/main.tf
+++ b/services/terraform/self-host/main.tf
@@ -1,18 +1,28 @@
 terraform {
   backend "s3" {
     region  = "us-east-2"
     key     = "terraform.tfstate"
     bucket  = "self-host-keyserver-terraform"
     encrypt = true
   }
 }
 
+provider "sops" {}
+
+data "sops_file" "keyserver_secrets_json" {
+  source_file = "keyserver_secrets.json"
+}
+
+locals {
+  secrets = jsondecode(data.sops_file.keyserver_secrets_json.raw)
+}
+
 provider "aws" {
   region = "us-east-2"
 
   default_tags {
     tags = {
       managed_by = "terraform"
     }
   }
 }
diff --git a/services/terraform/self-host/providers.tf b/services/terraform/self-host/providers.tf
index 0b988a0be..5ec120ea0 100644
--- a/services/terraform/self-host/providers.tf
+++ b/services/terraform/self-host/providers.tf
@@ -1,8 +1,13 @@
 terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
       version = "~> 5.7.0"
     }
+
+    sops = {
+      source  = "carlpett/sops"
+      version = "0.7.2"
+    }
   }
 }