diff --git a/.gitattributes b/.gitattributes
index 29fc3c99..370e338a 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -6,3 +6,5 @@ ansible/files/csi-secret-cinderplugin.yaml.codfw1dev.crypt filter=git-crypt diff
 paws/codfw-secrets.yaml filter=git-crypt diff=git-crypt
 paws/files/minesweeper/secrets/** filter=git-crypt diff=git-crypt
 tofu/secrets.tf filter=git-crypt diff=git-crypt
+secrets-eqiad1.sh filter=git-crypt diff=git-crypt
+secrets-codfw1dev.sh filter=git-crypt diff=git-crypt
diff --git a/README.md b/README.md
index 7d16af20..c7183f29 100644
--- a/README.md
+++ b/README.md
@@ -116,3 +116,8 @@ bash deploy.sh <eqiad1|codfw1dev>
 update the web proxy in horizon to point to current cluster.
 
 https://wikitech.wikimedia.org/wiki/PAWS/Admin#Deployment
+
+#### Disaster Recovery
+If the entire project is removed two parts of paws are not managed by tofu/ansible.
+Object storage container: An object storage container named "tofu-state" will need to be generated in horizon. This is where the state file for tofu resides.
+NFS: The NFS server is not included. And a fresh NFS server will be needed for paws to operate.
diff --git a/deploy.sh b/deploy.sh
index 786d3500..6c6568a4 100644
--- a/deploy.sh
+++ b/deploy.sh
@@ -31,14 +31,16 @@ if ! command -v tofu ; then
   exit 1
 fi
 
+source secrets-${datacenter}.sh
+
 python3 -m venv .venv/deploy
 source .venv/deploy/bin/activate
 pip install ansible==8.1.0 kubernetes==26.1.0
 
 
 cd tofu
-tofu init
-tofu apply -var datacenter=${datacenter}  # -auto-approve
+tofu init -backend-config access_key="${ACCESS_KEY}" -backend-config secret_key="${SECRET_KEY}"
+tofu apply -var datacenter=${datacenter} # -auto-approve
 export KUBECONFIG=$(pwd)/kube.config
 
 cd ../ansible
diff --git a/secrets-eqiad1.sh b/secrets-eqiad1.sh
new file mode 100644
index 00000000..6a74de2b
Binary files /dev/null and b/secrets-eqiad1.sh differ
diff --git a/tofu/main.tf b/tofu/main.tf
index ff6886ec..8d8aad56 100644
--- a/tofu/main.tf
+++ b/tofu/main.tf
@@ -1,4 +1,15 @@
 terraform {
+  backend "s3" {
+    #access_key                  = "7f5dc99840424406ae1e888d21b936a7"
+    bucket                      = "tofu-state"
+    endpoint                    = "https://object.eqiad1.wikimediacloud.org"
+    key                         = "paws-state"
+    region                      = "default"
+    #secret_key                  = var.ec2_credential_secret[var.datacenter]
+    skip_credentials_validation = "true"
+    skip_region_validation      = "true"
+    use_path_style              = "true"
+  }
   required_version = ">= 1.5.3"
   required_providers {
     openstack = {
diff --git a/tofu/secrets.tf b/tofu/secrets.tf
index e60168cb..74d585b9 100644
Binary files a/tofu/secrets.tf and b/tofu/secrets.tf differ