diff --git a/common/.local/bin/dotsync b/common/.local/bin/dotsync
index be78f1a4..f74dc1a9 100755
--- a/common/.local/bin/dotsync
+++ b/common/.local/bin/dotsync
@@ -27,6 +27,38 @@ multi_stow() {
     return $ret
 }
 
+first_clone() {
+    [ -r "${HOME}/.secrets/dotfile-secrets.json" ] || {
+        echo "Please ensure ${HOME}/.secrets/dotfile-secrets.json exists and is readable"
+        exit 1
+    }
+    which jq >/dev/null || {
+        echo "Please ensure jq is installed"
+        exit 1
+    }
+    filter_file=$(mktemp)
+    cat <<'EOF' >"$filter_file"
+#!/bin/sh
+
+FS="#"
+GS="|"
+
+map=$(jq -r 'to_entries[] | "\(.key)'"$FS"'\(.value)"' "${HOME}/.secrets/dotfile-secrets.json")
+
+if [ "$1" = "clean" ]; then
+    sed "$(echo "$map" | awk -F"$FS" -v d="$GS" '{printf "s%s%s%s<#%s#>%sg;", d, $2, d, $1, d }')"
+elif [ "$1" = "smudge" ]; then
+    sed "$(echo "$map" | awk -F"$FS" -v d="$GS" '{printf "s%s<#%s#>%s%s%sg;", d, $1, d, $2, d }')"
+fi
+EOF
+    chmod +x "$filter_file"
+    touch "${HOME}/.gitconfig"
+    git config --global filter.redact.clean "$filter_file clean"
+    git config --global filter.redact.smudge "$filter_file smudge"
+    git clone -j4 --recursive "$STOW_REPO" "$STOW_DIR"
+    rm "$filter_file" "${HOME}/.gitconfig"
+}
+
 { [ -n "$STOW_DIR" ] && [ -n "$STOW_REPO" ] && [ -n "$STOW_BRANCH" ]; } || {
     echo "Please set STOW_DIR, STOW_REPO, and STOW_BRANCH"
     exit 1
@@ -37,7 +69,7 @@ mkdir -p "$STOW_DIR"
 # First run
 if [ ! -e "$STOW_DIR/.git" ]; then
     printf "%b" "${BOLD}${BLUE}Cloning dotfiles...$NC\n\n"
-    git clone -j4 --recursive "$STOW_REPO" "$STOW_DIR"
+    first_clone
     multi_stow || printf "%b" "${RED}Failed to run stow!$NC\n"
     exit 0
 fi