diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 00000000..591fe913
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,4 @@
+- repo: https://github.com/onedr0p/sops-pre-commit
+  rev: v2.1.0
+  hooks:
+    - id: forbid-secrets
diff --git a/kube/.sops.yaml b/kube/.sops.yaml
index 0511ad6a..bfdb0155 100644
--- a/kube/.sops.yaml
+++ b/kube/.sops.yaml
@@ -1,6 +1,6 @@
 creation_rules:
   - path_regex: .*.yaml
-    encrypted_regex: ^(data|stringData)$
+    encrypted_regex: ^(NETBIRD_AUTH_AUDIENCE|NETBIRD_AUTH_CLIENT_ID|NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID|NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT|NETBIRD_DOMAIN|NETBIRD_MGMT_DNS_DOMAIN|WHOOGLE_CONFIG_URL|ZT_ALLOW_MANAGEMENT_FROM|ZU_CONTROLLER_ENDPOINT|ZU_DEFAULT_PASSWORD|ZU_DEFAULT_USERNAME|addresses|clusterDomain|commonName|config.yaml|data|dnsNames|dnsZones|domain|email|externalIPs|host|hosts|ip|ipv4NativeRoutingCIDR|k8sServiceHost|loadBalancerIP|my-asn|nameservers|peer-address|peer-asn|secretName|stringData|whitelist-source-range)$
     age: >-
       age1xl3fcwdw56k73lraxsjhde4ygwn7jw0js5l5qw7vsp54vc5czuwstcejxu
     pgp: >-