diff --git a/controllers/longhorn/base/values.yaml b/controllers/longhorn/base/values.yaml
index ed4869e..4a01a21 100644
--- a/controllers/longhorn/base/values.yaml
+++ b/controllers/longhorn/base/values.yaml
@@ -8,3 +8,6 @@ defaultSettings:
   storageOverProvisioningPercentage: 25
 persistence:
   defaultDataLocality: best-effort
+defaultBackupStore:
+  backupTarget: s3://longhorn-backup@garage/
+  backupTargetCredentialSecret: s3-garage
diff --git a/controllers/longhorn/longhorn.yaml b/controllers/longhorn/longhorn.yaml
index 1b7a058..d4399ce 100644
--- a/controllers/longhorn/longhorn.yaml
+++ b/controllers/longhorn/longhorn.yaml
@@ -10,6 +10,10 @@ spec:
   sourceRef:
     kind: ExternalArtifact
     name: longhorn
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
   path: ./${cluster_env}
   prune: true
   wait: true
diff --git a/controllers/longhorn/staging/kustomization.yaml b/controllers/longhorn/staging/kustomization.yaml
index 75f1377..36d53a7 100644
--- a/controllers/longhorn/staging/kustomization.yaml
+++ b/controllers/longhorn/staging/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../base
+  - secret-s3-garage.yaml
 
 configMapGenerator:
   - name: values-overlay
diff --git a/controllers/longhorn/staging/secret-s3-garage.yaml b/controllers/longhorn/staging/secret-s3-garage.yaml
new file mode 100644
index 0000000..0e09add
--- /dev/null
+++ b/controllers/longhorn/staging/secret-s3-garage.yaml
@@ -0,0 +1,56 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: s3-garage
+    namespace: longhorn-system
+type: Opaque
+stringData:
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:3oYxQTaBOkHPkkKMsVmGIKvHM02eVQ1fGV0=,iv:1FSjF8Bp2zHPGmDAEhZASCPaFoedAwHRqXzl4OU72fo=,tag:2WsTb9Ieo6FoLdo7dP5H9A==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:aRsUlUtywf2Vk6bqAHM+UT5YHdArA0PZjhqtz4w4ndDe66HM481aSnoVfVe4b726K24Y71dWc9+gOd0Vpezq7w==,iv:wpptPLFMjy+AN3+lEcgtKxepSn5K0Jj+y2qJcX6UMiM=,tag:ZA4kMti6OYoINahmqoAG/Q==,type:str]
+    AWS_ENDPOINTS: ENC[AES256_GCM,data:2iB2cf1E4ucxJEDGRpe2wiX9yMCZA1A=,iv:c+izWJ+i7lHybZlU9yKS5Q+Zj9lOGysCbewz9iRud3M=,tag:UX4zr9dguSAUBqm1xJnNJQ==,type:str]
+    AWS_DEFAULT_REGION: ENC[AES256_GCM,data:x8oa5+m6,iv:w7Ko7PithIEtO6UoW063hxpqcctD4kBw3dCGKYlmQxU=,tag:HskDJefMh4EGKVp8gf9eCw==,type:str]
+sops:
+    age:
+        - recipient: age1860txadrlqrjwnqh0g466re2nt8jk7xhj640pq9gpsddpg23uynqsp2hul
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3cmd2NkxFOVB0a1R3MHVN
+            RWRwbFVVaHF6Mlo4UElIZ1ROd1pyV1czSEYwCmFQMGM3Nkw0U0hzcWdyQVpnZTZL
+            eFNLWW5iNWpZVU9BQm9KakV4dEJzaGsKLS0tIGZ0ajdRZjZIUnNRSElzeENYRG4r
+            eUJHQVAzeWJSUDZTYy8zbTJIQ3pscjAKERe7k/VVNqMhqe2rLLRA9dO71bjieffX
+            YMIzJ0/UNMo2el4bcefwRnqwl0oyPG+pMXZ3F6UXyEoZw3ZIc4Nzvg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hktythzvsnth6u5en2lvag0tftnj9r03w7rpnzfgzgf5w95qxycq2azufj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhakxrQ1Zrd3FRekZwZkU4
+            MVBpdloxeTJWQm1GZjA4M2NFVk1IYWtrTG1RCnpaRGh1WDZ4dCtzeFhkK1YzczYz
+            dmFNSWQ1bXgwQjJ1VlkrQnFhMXJ3bGcKLS0tIDhpcWx0MklNazJ0SjUzRmlyV0Er
+            K09tZGI0Z2w0eXh5eHcvcEttMy82aU0K2fnCDfYIShzw2Zipof+C8zf9pcOmiDg9
+            2SCiIfAJs9MB3n078P068z77KpvdlJYOi9pUTKSBhNw+mBI24y6X6A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-12T00:41:10Z"
+    mac: ENC[AES256_GCM,data:E+W48CwZ93xybhGkVtSWwmq/bQa2g+2dipLGc3We1TaSS60zaWjvElkHMJpYvOxyoxZ2W6ydb0O1r7oywdc4E2WgsN8PewMm6e0M8C9WSv0ok1ki4Tx5iE3S+xOnmIb9xY8FlsyuZZ1mfAn+TyP4CrBdA0qe+bOK4oxHOz3Pk/Y=,iv:x/twUW0xmPkLe1wHNxSKsf2VdVHGPMPptS/ak7Bl3YQ=,tag:ys82SWDfkrm+idEuF9z8oA==,type:str]
+    pgp:
+        - created_at: "2025-12-11T23:56:15Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA51kG++kLewoARAA2+TLPMKYQFUjyuER+HZgY5Zl4qcF94sYcZuTdcvl/Pam
+            l//PcgU80DLb/3IZ1K12EYyuZ+QVdJxmUQt1OvBUWv2p0/5mU7zbkxc8YJ/vc46b
+            yMX7mmDnzuyU2Lss0hUl5dDDk3pdC4SgjrBz15g9TvS2jOWDTOwKCb1DEghfzB07
+            /9Yfj6Rfds2gqsUgfyxVCzHXzC0SNpuqqPLmnzNmjYiQGNFOCOdyxP6c2ehCI6Bq
+            Lu38n6rjTj2QWJZvtr57a2IVqmFVcD9wcy7ITUk8u9+ncYemLmx1LTQKD6n0WDHm
+            DwjRjziqdJRpHo70Q6TUanFppqTB2q1CReS4yk9sc3CINq9fRJrKtOeJxW8x81yZ
+            o3X++3gYbsRIrApVAFECJyKA4H6eK1gp4djNV7K0MmbQcR/7wSqaYrE6vTPml7jG
+            Ribd7eGvF2FnH5P/z3ckh6HH2Ln+i+iVy+ZeY+lgWuIrVNDWwR8mDH8AkjXuGTu4
+            K6ra+kCna6v7CAKwlGd31rk9i0CTNTqyHEQeqYuto/HTEC0Jj/lRyFPq+KuuvoAq
+            vxQlmP6VnYR0gTfkneBAny4neu3zrbYMuIMWoA9pAhZBNOLPuPXZtUwhAStHBS1V
+            Sdc6AI9CXSPFIP2WDn6iwjwXElkG5+iYyngf3tXrJUVXs0SQeFH05j3r5zVNT0zS
+            XgFAiWuLAOyWWvP+Jlre5dgKnbiaSs3wIVL9Qw9MuHIWdlXmTyuQ5SQKErQLSQ2j
+            b5ogtCcgcbVd+OsZCHWQbPtLI2yk/n0afA9D6cRvLHbNZGrWRZjdTYUHU2Drp0w=
+            =/yAN
+            -----END PGP MESSAGE-----
+          fp: CD17A34CBFB21DE9A73D47EB76BDEC4E165D8AD9
+    encrypted_regex: ^(data|stringData)$
+    version: 3.11.0