diff --git a/infrastructure/bitwarden/.sops.yaml b/infrastructure/bitwarden/.sops.yaml
new file mode 100644
index 0000000..6ab5309
--- /dev/null
+++ b/infrastructure/bitwarden/.sops.yaml
@@ -0,0 +1,3 @@
+creation_rules:
+  - path_regex: '.*\.yaml$'
+    age: age15hfu6avfx8egwkhydm6yst3arep70sklrh7eah05wslud3v90vyqrpph4j
diff --git a/infrastructure/bitwarden/bitwardenaccesstoken.enc.yaml b/infrastructure/bitwarden/bitwardenaccesstoken.enc.yaml
new file mode 100644
index 0000000..134284c
--- /dev/null
+++ b/infrastructure/bitwarden/bitwardenaccesstoken.enc.yaml
@@ -0,0 +1,23 @@
+apiVersion: ENC[AES256_GCM,data:cV4=,iv:3OtaIVTcK9z/quPbn6HImXKhNpXpuFC7Bbg0Wq+y01g=,tag:AjwuomF5EpVnV0bL0vHL9g==,type:str]
+kind: ENC[AES256_GCM,data:qwfosMrY,iv:Qq43cbPJhuKtgGT+xVy8AnkPmnR+0Rws/OHMgXsJF4I=,tag:lP7trYh0dwcveZ+Dkmrr9g==,type:str]
+metadata:
+    name: ENC[AES256_GCM,data:8hnnXCRWaSZEz5WdO5v4ePvnllld9w==,iv:7lfFOtsuu339GsdaK3G7PCt3JWNiWVXEpQRybQ3/6/4=,tag:A5Qfd2DWeF0/dIUw27lNbA==,type:str]
+    namespace: ENC[AES256_GCM,data:/iGoNkvHqqo=,iv:B+UBbibL3jSs0FQAWpd3o4MAT/dUqWIxhHfD9lWa3CU=,tag:4VbHdFjfEnEsBL0AIeBMKQ==,type:str]
+type: ENC[AES256_GCM,data:lIrMCZ3H,iv:38vUEv36MvY8wbd6bgYf9VFISg5rvo/dwTU+qjpGl6M=,tag:sajpKEp6eKTaqis7BnEI1w==,type:str]
+stringData:
+    token: ENC[AES256_GCM,data:/yDlUYTQeOZOWAmcTtK+spSecAPOVvIzinvC+Ua0TmwfxblfZT82Mds4IUCtcKZ6nKrQF/tGBUs+8ClMY6wwpF+xvXlyyXKmDcoobGzlgDrfTLiT+p8WbHeIa2o16g==,iv:DxFbBMHTGZ/EJf9JiYjVB8/CNQlvGm2xovixwPHQ6bE=,tag:4anJ4sj1uWlJpQ8+XOsagg==,type:str]
+sops:
+    age:
+        - recipient: age15hfu6avfx8egwkhydm6yst3arep70sklrh7eah05wslud3v90vyqrpph4j
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKYjhoQlNtaUQrUE1LWkox
+            eTN2TWF3S1Q1MFloQVYwZ2RGd2JkVUFDRlI4CmRwNUVkTzJiMHFod1hVQmdqTnhT
+            RHVUNzVQdXJZUUtFckdnN3VTVGd1MmsKLS0tIFp1bytjY1VrKzR2Y1dhNC9IVlZ6
+            RHRzMnpHS1NhZzRTQm5nUGJGNFduVXMKeDjAzFWdvQa2NkBNaQINz15aI+hoazrt
+            tSsB5xJSUUIaSqrvGGeHfAoXK1SKF1S9euXrjC7MLMT7cBo6n43IQA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-17T07:35:51Z"
+    mac: ENC[AES256_GCM,data:aV5uFVVrFHNuHM44b2qza7JV7HzLxp7VI7mUI9D1YyPifddgArenjkRB4eRqgh+L3UgE4dtwKbswlf4FFpPqCouv/vZfsKPRzZyBOmLkTIRlJGlHSTXs32JA3a49EIDT6JbQxl2IzL77Xpsojnt5rkyzG6Ix/mUlVk3oJ6Yj4Is=,iv:IwiwmioSNB4FthbkFwske/+mircQMHj0TSlzXOFZ1/A=,tag:vHprkU6wfoa7MtOFMGbGDA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/infrastructure/bitwarden/helmrelease.yaml b/infrastructure/bitwarden/helmrelease.yaml
index c0bff94..2234d1b 100644
--- a/infrastructure/bitwarden/helmrelease.yaml
+++ b/infrastructure/bitwarden/helmrelease.yaml
@@ -1,8 +1,8 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
-***REMOVED***
+metadata:
   name: bitwarden-secrets-manager
-***REMOVED***
+  namespace: security
 spec:
   interval: 15m
   chart:
@@ -17,4 +17,4 @@ spec:
     createNamespace: true
   values:
     # keep minimal to start
-    replicaCount: 1
\ No newline at end of file
+    replicaCount: 1