diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 17710e3e53e966397492b20fa6cc734c0de69203..08013a3cc3034f3fc65a5d7f6191e79684843157 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -100,7 +100,7 @@ Follow instruction in [CI-Workflow](./docs/developer/ci-workflow.md) for specifi
 
 ## How to Contribute
 
-1. Fork this repository, develop, and test your changes.
+1. Fork this repository, develop, and test your changes. (if you do not have permissions to fork the repository, You can download the repo as a tar.gz file and upload to your own repo in your Gitlab instance instead)
 1. Submit a pull request.
 1. Keep an eye out for comments. From bots and maintainers to ensure CI is passing and issues or suggestions are addressed.
 
diff --git a/docs/understanding-bigbang/concepts/encryption.md b/docs/understanding-bigbang/concepts/encryption.md
index e9d11eda45d287d19fc2594dc7ce85dc541db975..966b889f14fe3ddea02b7a3f3ed8e239e150e576 100644
--- a/docs/understanding-bigbang/concepts/encryption.md
+++ b/docs/understanding-bigbang/concepts/encryption.md
@@ -84,8 +84,38 @@ SOPS uses `.sops.yaml` as a configuration file for which keys to use for newly c
          ```
 
 ### GCP KMS
+  - If using a GCP KMS key, you can skip the section: "Create GPG Encryption Key". Instead, in your .sops.yaml file (note - this is a hidden file at the root of this directory) use this configuration instead
+  of the GPG config:
+  ```yaml
+  creation_rules:
+    - encrypted_regex: '^(data|stringData)$'
+      gcp_kms: <gcp resource name of key>
+  ```
+  Key resource name should look like: ```projects/{PROJECT_ID}/locations/global/keyRings/{KEY_RING_NAME}/cryptoKeys/{KEY_NAME}_**```
+
+  If you get errors about the key not working, try re-logging in to GCP:  
+
+  ```gcloud auth application-default login```  
+
+  And make sure you have the right project set:  
+
+  ```gcloud config set project <project_id>```  
+
+
+  Also make sure you have these IAM roles on your GCP account:
+  ```shell
+  roles/container.admin  
+  roles/iam.serviceAccountAdmin  
+  ```
+
+  The KMS key also needs IAM permissions, and needs to be linked back to the flux-controller in the cluster. You need to create a service account and role binding, then manually annotate it:
+
+  ```kubectl annotate serviceaccount kustomize-controller --namespace flux-system iam.gke.io/gcp-service-account=flux-service-account@<project_id>.iam.gserviceaccount.com```
+
+  GCP uses Workload Identity to allow the flux-controller to use the service account, good references for this setup are here. Make sure you enable Workload Identity on the cluster nodes:  
+  [GCP Docs](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)  
+  [Medium Article](https://medium.com/the-telegraph-engineering/binding-gcp-accounts-to-gke-service-accounts-with-terraform-dfca4e81d2a0)
 
-TBD - [This article](https://blog.doit-intl.com/injecting-secrets-from-aws-gcp-or-vault-into-a-kubernetes-pod-d5a0e84ba892) may help to automate secret consumption in Kubernetes.
 
 ### Azure KeyVault