diff --git a/terraform/common.nix b/terraform/common.nix
new file mode 100644
index 0000000..0e8b0be
--- /dev/null
+++ b/terraform/common.nix
@@ -0,0 +1,7 @@
+{
+  # Until we get some kind of KMS operational, store secrets in the state file.
+  terraform.required_providers.secret = {
+    version = "~> 1.2.1";
+    source = "numtide/secret";
+  };
+}
diff --git a/terraform/default.nix b/terraform/default.nix
index 0c5eb87..222d3bc 100644
--- a/terraform/default.nix
+++ b/terraform/default.nix
@@ -1,5 +1,6 @@
 {
   imports = [
+    ./common.nix
     ./hydra.nix
     ./state.nix
   ];
diff --git a/terraform/hydra.nix b/terraform/hydra.nix
index 6eb5d77..ee2fa77 100644
--- a/terraform/hydra.nix
+++ b/terraform/hydra.nix
@@ -1,6 +1,6 @@
 { lib, config, ... }:
 let
-  inherit (lib) mkEnableOption mkIf types mkOption;
+  inherit (lib) mkEnableOption mkIf types mkOption tf;
   cfg = config.bagel.hydra;
 in
 {
@@ -14,9 +14,12 @@ in
       source = "DeterminateSystems/hydra";
     };
 
+    resource.secret_resource.hydra_password.lifecycle.prevent_destroy = true;
+
     provider.hydra = {
       host = "https://hydra.bagel.delroth.net";
-      # username/password are provided via HYDRA_USERNAME/HYDRA_PASSWORD
+      username = "terraform";
+      password = tf.ref "resource.secret_resource.hydra_password.value";
     };
 
     resource.hydra_project.forkos = {