diff --git a/docs/onboarding.md b/docs/onboarding.md
new file mode 100644
index 0000000..09f0ba4
--- /dev/null
+++ b/docs/onboarding.md
@@ -0,0 +1,17 @@
+# sops
+
+Add the user to the list of PGP keys in `.sops.yaml`. Run:
+
+```sh
+find . -name '*.enc.*' -exec sops updatekeys {} \;
+```
+
+# Keycloak
+
+Once authenticated to Keycloak (the password is encrypted in the Keycloak
+configuration kustomization), switch from the Master realm to the realm you
+wish to add a user to. From there, navigate to Users and select "Add user".
+Select a combination of options to be performed upon login, such as "Update
+Password" if setting up a user that is not yourself. Enter any necessary
+information and select "Create". A temporary password can be generated by using
+`pwgen -s 24 1`.