diff --git a/keys/zimbatm.asc b/keys/zimbatm.asc
new file mode 100644
index 0000000..b9525fe
--- /dev/null
+++ b/keys/zimbatm.asc
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFc+BfYBCACtWxj0q16ScUA+ebozKq36MSKAeAMf6RcNyINtC3Z5fzh3kZ3b
+g7VS8gEuMXm1/Kx9BksjUfC8/F+ZzoQoUdel5XaBA/8YCwabj9yNT/W+gQuVGB3Z
+MpmhSs08YnEmVjQy2pUEBUWq7q1k8W04q/fyOsAWTWNwGh3UU25twROomX2RYATB
+dRYJgnH02FVMxMBx9qpIVkskmUBKlLRkZ+XGL8ctlfsTSjFj2Q9UNdcqnLwKodDy
+kZFfyX7OQaYnCeor/6HlGIBAmNW5GiLCBYR5wYFCb77EYcuo9eildyfwoHHBG9Tz
+GH60a5KjIP4Mo7PBLlLP35irBffZDui1rRiZABEBAAG0HXppbWJhdG0gPHppbWJh
+dG1AemltYmF0bS5jb20+iQE3BBMBCgAhBQJXPgX2AhsDBQsJCAcDBRUKCQgLBRYC
+AwEAAh4BAheAAAoJEHG69tQMHWPX1P4H/3HBMc+vuseIx0mt2wIuu4Ccvj8UdfyL
+rFMmEMBL0BDRXJPPUL0+GsalCKwTeVjNY5ZxJ0upKGeODUgE8N7tBHGwJ7PJK0XM
+OXNDa41Q7Ev7Pb41ZZrt/vE0fsRLvUupJip4GeFSV18VqFpTjev/y9tREiugpmSR
+JyFVI5Q5awO1zEnZyGro1wuzQ3DJ7lOaflu3xG4Qryv4gzoAN1YoMcQtJXdZBWTo
+tTIxSa07P4FbNI+B9nRvQNq1BzTQPc3uTN+/2Q49GrXoSe3FsV2BhkLPCbgRds4v
+zoXdCCDKNbspJEYOfPH6QobupO5S45WnIDGBjgx0GeQ4My9DBCoSzcS5AQ0EVz4F
+9gEIAMoE30ESB0hV+v/V5MOdlOWXQf6W/O/z2R0zJh/WLqzhYGy8C6Nqb4d2PYYd
+3qyUCHj2GgqxBgNRjGlJbO1ctlSueYBqpiFzFNVr5WlyFxNSg8LRZ2vPIYwsUQ/G
+IXns3TJnLypxXl+v2vnzNa6RqB0zXv4RleRNYW2Z/CD8die8jd+XH19Pf2gR3s4I
+Y2rV81YWi2hvyERP694aK89BVTQRCutm4gHtpBc3mX0FB2+lq1HwZ5jVZ5ZRwL28
+Ty1MnHkyxmIjQv67mv07fXEUQ08Fp1jFQfamvVzF2GLCg5e7SUqGUVUD4quVAqQX
+KkwsqwP/viA9eYOASo0waUbYuJUAEQEAAYkBHwQYAQoACQUCVz4F9gIbDAAKCRBx
+uvbUDB1j1yduB/9RzZpAWGdqqmQyDLH7fxUt+RnYMmSWswRvrP1O8WMA3dDO65xP
+m2wCweZyOmQJ4BNMVh8JA0JWrkVYBbuRiHZKNaKQygmRISR5379h+y1Zc4BctHZ7
+6OyjNnLwt4bQMwncr8/wLB+JwTrMB6Q9GMFieTJiak3QKbVkcaNpy2Q718CeCwUs
+ZVgmMWZENii0mHVzACLyM0GEsY/ZGeLT73en2QDCEYN32ad/3BGBqjmETBy26bg8
+LIRiLEAWFYJdDxFBUoIAZHdlxqkI0+yaqxTupgOK0brSO0sYldGd6lmMIr1t461y
+20wJIM3Im6Ozov71dec221hD5XLPNYde/uFK
+=zyun
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/shell.nix b/shell.nix
index 9f95e0d..0e3956d 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,20 +1,26 @@
 { system ? builtins.currentSystem }:
 let
+  sources = import ./nix/sources.nix;
   pkgs = import ./nix { inherit system; };
 in
 pkgs.mkShell {
-
   NIX_PATH = "nixpkgs=${toString pkgs.path}";
 
   NIXOPS_DEPLOYMENT = "nix-community-infra";
   NIXOPS_STATE = toString ./state/deployment-state.nixops;
 
+  sopsPGPKeyDirs = [
+    "./keys"
+  ];
+
   buildInputs = with pkgs.nix-community-infra; [
     git-crypt
     niv
     nixopsUnstable
     terraform
     sops
+
+    (pkgs.callPackage sources.sops-nix {}).sops-import-keys-hook
   ];
 
   # terraform cloud without the remote execution part