diff --git a/.taskfiles/sops/Taskfile.yaml b/.taskfiles/sops/Taskfile.yaml
new file mode 100644
index 0000000..3c1ef8a
--- /dev/null
+++ b/.taskfiles/sops/Taskfile.yaml
@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
+version: "3"
+
+tasks:
+  re-encrypt:
+    desc: Decrypt and re-encrypt all sops secrets
+    silent: true
+    dir: "{{.USER_WORKING_DIR}}"
+    vars:
+      SECRET_FILES:
+        sh: find . -type f -name '*.sops.yaml' ! -name ".sops.yaml"
+    cmds:
+      - for: { var: SECRET_FILES }
+        cmd: |
+          echo "Re-encrypting {{ .ITEM }}"
+          sops --decrypt --in-place "{{ .ITEM }}"
+          sops --encrypt --in-place "{{ .ITEM }}"
diff --git a/Taskfile.yaml b/Taskfile.yaml
new file mode 100644
index 0000000..8c09c3f
--- /dev/null
+++ b/Taskfile.yaml
@@ -0,0 +1,14 @@
+---
+# go-task runner file - rest of config in .taskfiles/**.*.yaml
+version: "3"
+
+includes:
+  sops:
+    taskfile: ".taskfiles/sops"
+    dir: .taskfiles/sops
+
+tasks:
+  default:
+    silent: true
+    cmds:
+      - task -l
\ No newline at end of file