diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..2339928
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+*.key filter=git-crypt diff=git-crypt
diff --git a/.secretsignore b/.secretsignore
new file mode 100644
index 0000000..421b2d2
--- /dev/null
+++ b/.secretsignore
@@ -0,0 +1 @@
+keys/*.key
diff --git a/bootstrap.sh b/bootstrap.sh
index 8888375..20aacdc 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -124,5 +124,9 @@ cilium-cli status --wait
 # cilium-cli connectivity test --namespace-labels pod-security.kubernetes.io/enforce=privileged
 
 echo "Bootstrapping flux..."
-flux bootstrap git --url ssh://git@huizinga.dev/infra/foundation --branch=main --path=clusters/${cluster_name} \
+flux bootstrap git \
+	--url ssh://git@huizinga.dev/infra/foundation \
+	--branch=main \
+	--private-key-file=keys/${cluster_name}.key
+	--path=clusters/${cluster_name} \
 	--components-extra=source-watcher
diff --git a/keys/testing.key b/keys/testing.key
new file mode 100644
index 0000000..df91f5c
Binary files /dev/null and b/keys/testing.key differ
diff --git a/keys/testing.key.pub b/keys/testing.key.pub
new file mode 100644
index 0000000..8a6637f
--- /dev/null
+++ b/keys/testing.key.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJIjhlQCqpq97CQcM6hDThGBgt/jSqnvN9billcvouuNSyaKqZRdUFWxbauruXmVd5okuwjocyxU4FTuTtFyC5w= flux@testing