diff --git a/.gitignore b/.gitignore
index 106fe69..a06a94d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -40,3 +40,7 @@
 /app/assets/builds/*
 !/app/assets/builds/.keep
 /.idea
+
+# Ignore key files for decrypting credentials and more.
+/config/credentials/*.key
+
diff --git a/.kamal/secrets b/.kamal/secrets
index 102dabd..f2c1e27 100644
--- a/.kamal/secrets
+++ b/.kamal/secrets
@@ -16,8 +16,9 @@
 # Grab the registry password from ENV
 # KAMAL_REGISTRY_PASSWORD=$KAMAL_REGISTRY_PASSWORD
 
-# Improve security by using a password manager. Never check config/master.key into git!
-RAILS_MASTER_KEY=$(cat config/master.key)
+# Decrypts config/credentials/production.yml.enc. Read the production key from
+# 1Password on the laptop; falls back to the env var if `op` is unavailable.
+RAILS_MASTER_KEY=$(op read "op://Personal/Community Foundations/keys/PRODUCTION" 2>/dev/null || printenv RAILS_MASTER_KEY)
 
 # GHCR personal access token (write:packages/read:packages). Read from 1Password
 # on the laptop; falls back to the env var if `op` is unavailable.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 39e63f5..9516afa 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,4 +1,14 @@
 class ApplicationController < ActionController::Base
+  # Pre-release lock: gate the whole site behind a shared HTTP Basic password.
+  # Runs before tenant/session resolution. Production only; the /up health check
+  # is unaffected because Rails::HealthController does not inherit from here.
+  if Rails.env.production?
+    http_basic_authenticate_with(
+      name: Rails.application.credentials.dig(:basic_auth, :username),
+      password: Rails.application.credentials.dig(:basic_auth, :password)
+    )
+  end
+
   include SetCurrentOrganization # resolves Current.organization first
   include Authentication # then resumes the session / Current.user
 
diff --git a/config/credentials/production.yml.enc b/config/credentials/production.yml.enc
new file mode 100644
index 0000000..529adc3
--- /dev/null
+++ b/config/credentials/production.yml.enc
@@ -0,0 +1 @@
+97luwAcQGslJIAFEcWNvbdiLnvhLy9ny+kayvBRiXK83C3BtpBFggxRuc2V4uZWeU00+PRBLPN6aQWSk/1wEtRvyl7I5eFRkS7ThCfKc51dJilEm7R2e4ENHV3pN+jQB9oxRIeKE2TYBtIZaMKpmt7bWbvpkN+9qKl0BjnIa0AbkX8/LmAzK5crUsm75HbSaW7f7244WpQ/vjWcuICH8BE+6E4MX0ketNeS9hi3YMD/Ry6vs+oSMTTb4uPT50QugZMfbSz/pLVJHKcnIUtpxmV4ocUOFCSuJOV5ehAuzDRv4au/xwvP+84/pVzenW/a61BShaS0/KziqbFD6BN99du4E4lUkb0yhHxainSIVqB1iBlV38h3iWSerytxSYTJRk7nH1dx9MxGwftdMdbNGMVygHO4HL4ppdEz6sp4=--UBnYSBFV6lXze2Ay--sDdwbw7FX5+HMnpVK/18Aw==
\ No newline at end of file