diff --git a/roles/add-gpgkey/README.rst b/roles/add-gpgkey/README.rst
new file mode 100644
index 000000000..99a78f259
--- /dev/null
+++ b/roles/add-gpgkey/README.rst
@@ -0,0 +1,12 @@
+Install a GPG private key onto a host.
+
+**Role Variables**
+
+.. zuul:rolevar:: gpg_key
+
+   Complex argument which contains the GPG private key.  It is
+   expected that this argument comes from a `Secret`.
+
+  .. zuul:rolevar:: private
+
+     The ascii-armored contents of the GPG private key.
diff --git a/roles/add-gpgkey/tasks/main.yaml b/roles/add-gpgkey/tasks/main.yaml
new file mode 100644
index 000000000..8df3304aa
--- /dev/null
+++ b/roles/add-gpgkey/tasks/main.yaml
@@ -0,0 +1,18 @@
+- name: Create GPG private key tempfile
+  tempfile:
+    state: file
+  register: gpg_private_key_tmp
+
+- name: Stage GPG private key for importing
+  copy:
+    content: "{{ gpg_key.private }}"
+    dest: "{{ gpg_private_key_tmp.path }}"
+    mode: 0400
+
+- name: Import GPG private key
+  command: "gpg --allow-secret-key-import --import {{ gpg_private_key_tmp.path }}"
+
+- name: Delete staged GPG private key
+  file:
+    path: "{{ gpg_private_key_tmp.path }}"
+    state: absent
diff --git a/roles/remove-gpgkey/README.rst b/roles/remove-gpgkey/README.rst
new file mode 100644
index 000000000..604e4e3d1
--- /dev/null
+++ b/roles/remove-gpgkey/README.rst
@@ -0,0 +1 @@
+Remove an added GPG key from the host.
diff --git a/roles/remove-gpgkey/tasks/main.yaml b/roles/remove-gpgkey/tasks/main.yaml
new file mode 100644
index 000000000..e36f1117e
--- /dev/null
+++ b/roles/remove-gpgkey/tasks/main.yaml
@@ -0,0 +1,2 @@
+- name: Remove GPG key
+  command: "sh -c 'shred -u ~/.gnupg/*'"