diff --git a/.gitattributes b/.gitattributes
index dfe0770..a69f8f1 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,5 @@
 # Auto detect text files and perform LF normalization
 * text=auto
+
+# git-crypt
+secrets.nix filter=git-crypt diff=git-crypt
diff --git a/.vscode/settings.json b/.vscode/settings.json
index 8ef3832..9dab74a 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,16 +1,25 @@
 {
-    "explorer.fileNesting.patterns": {
-        ".gitignore": ".gitattributes, .envrc, readme",
-        "flake.nix": "flake.lock, shell.nix, checks.nix"
-    },
     "editor.formatOnSave": true,
     "editor.formatOnSaveMode": "file",
+    "explorer.fileNesting.patterns": {
+        ".gitignore": ".gitattributes, .envrc, readme",
+        "flake.nix": "flake.lock, shell.nix, secrets.nix"
+    },
+    "files.exclude": {
+        ".git-crypt": true
+    },
     "terminal.integrated.defaultProfile.linux": "fish-fhs",
     "terminal.integrated.profiles.linux": {
-        // ...
         "fish-fhs": {
-            "path": "systemd-run",
-            "args": ["--user", "--pty", "--quiet", "--same-dir", "--service-type=exec", "fish"]
+            "args": [
+                "--user",
+                "--pty",
+                "--quiet",
+                "--same-dir",
+                "--service-type=exec",
+                "fish"
+            ],
+            "path": "systemd-run"
         }
     }
-}
+}
\ No newline at end of file
diff --git a/hosts/common/core/default.nix b/hosts/common/core/default.nix
index daf9447..6c8045f 100644
--- a/hosts/common/core/default.nix
+++ b/hosts/common/core/default.nix
@@ -21,6 +21,9 @@
   # System-wide packages, in case we log in as root
   environment.systemPackages = with pkgs; [
     curl
+    git
+    git-crypt
+    gpg-tui
     micro
     openssh
     ranger
diff --git a/hosts/common/core/gnupg.nix b/hosts/common/core/gnupg.nix
new file mode 100644
index 0000000..230739a
--- /dev/null
+++ b/hosts/common/core/gnupg.nix
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  # GnuPG
+  programs.gnupg.agent = {
+    enable = true;
+    pinentryPackage = pkgs.pinentry-gnome3;
+  };
+  services.pcscd.enable = true;
+}
diff --git a/secrets.nix b/secrets.nix
new file mode 100644
index 0000000..9dbfd1b
Binary files /dev/null and b/secrets.nix differ
diff --git a/shell.nix b/shell.nix
index c608401..5b8b236 100644
--- a/shell.nix
+++ b/shell.nix
@@ -34,6 +34,9 @@ in
 
           # Git for repo management
           git
+          git-crypt
+          gnupg
+          gpg-tui
 
           # Shells
           fish