diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..b9f5107
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+deploy.key filter=git-crypt diff=git-crypt
diff --git a/.secretsignore b/.secretsignore
new file mode 100644
index 0000000..a8de54c
--- /dev/null
+++ b/.secretsignore
@@ -0,0 +1 @@
+deploy.key
diff --git a/bootstrap.sh b/bootstrap.sh
index 8888375..aee3314 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -124,5 +124,9 @@ cilium-cli status --wait
 # cilium-cli connectivity test --namespace-labels pod-security.kubernetes.io/enforce=privileged
 
 echo "Bootstrapping flux..."
-flux bootstrap git --url ssh://git@huizinga.dev/infra/foundation --branch=main --path=clusters/${cluster_name} \
+flux bootstrap git \
+	--url ssh://git@huizinga.dev/infra/foundation \
+	--branch=main \
+	--private-key-file=clusters/${cluster_name}/deploy.key -s \
+	--path=clusters/${cluster_name} \
 	--components-extra=source-watcher
diff --git a/clusters/testing/deploy.key b/clusters/testing/deploy.key
new file mode 100644
index 0000000..9896085
Binary files /dev/null and b/clusters/testing/deploy.key differ
diff --git a/clusters/testing/deploy.key.pub b/clusters/testing/deploy.key.pub
new file mode 100644
index 0000000..759f8dd
--- /dev/null
+++ b/clusters/testing/deploy.key.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK59NC6hLyDf+9zeOQ0stZeay51UyUpoBgONh0xxJFIlgra5ojyhrrQVlfjcUqdLe5yijWU1nCxKpaFGDPMdNE4= flux@testing