diff --git a/.gitlab/README.md.template b/.gitlab/README.md.template
index 4c3d68cc3b0506503e900924a17566b693edd670..3f6124b1b705f5e7271a5dd28a31cf83fe23ec9f 100644
--- a/.gitlab/README.md.template
+++ b/.gitlab/README.md.template
@@ -175,6 +175,16 @@ include:
 stages: [validate, build, deploy]
 ```
 
+#### Working with encrypted states locally
+
+To locally work with encrypted states that have been auto encrypted by the component you can
+manually do what the component does:
+
+Copy the encryption setup from [the `configure_encryption_for_tofu` function](/src/gitlab-tofu.sh#L310)
+into a temporary file called `encryption.tf` or expose it in the `TF_ENCRYPTION` variable - make sure to
+correctly set your passphrase the match the value from GitLab CI. Then you can simply continue using your
+regular `tofu` tooling.
+
 ### Configure `id_tokens`
 
 > [!note]
diff --git a/README.md b/README.md
index c5d7dba2cb27e3e0f865023d1e6f97e50c9f54c8..3154bb88bc3b03126e9adfc4e3c2ebdfe10f1261 100644
--- a/README.md
+++ b/README.md
@@ -177,6 +177,16 @@ include:
 stages: [validate, build, deploy]
 ```
 
+#### Working with encrypted states locally
+
+To locally work with encrypted states that have been auto encrypted by the component you can
+manually do what the component does:
+
+Copy the encryption setup from [the `configure_encryption_for_tofu` function](/src/gitlab-tofu.sh#L310)
+into a temporary file called `encryption.tf` or expose it in the `TF_ENCRYPTION` variable - make sure to
+correctly set your passphrase the match the value from GitLab CI. Then you can simply continue using your
+regular `tofu` tooling.
+
 ### Configure `id_tokens`
 
 > [!note]