diff --git a/Makefile b/Makefile
index b6344a0..1b089cc 100644
--- a/Makefile
+++ b/Makefile
@@ -89,6 +89,9 @@ $(CACHE_DIR)/secrets:
 $(FETCH_DIR)/terraform:
 	$(call git_clone,$@,$(TERRAFORM_REPO),$(TERRAFORM_REF))
 
+$(FETCH_DIR)/sops:
+	$(call git_clone,$@,$(SOPS_REPO),$(SOPS_REF))
+
 $(OUT_DIR)/terraform: $(FETCH_DIR)/terraform
 	$(call toolchain," \
 		cd $(FETCH_DIR)/terraform && \
@@ -102,3 +105,18 @@ $(OUT_DIR)/terraform: $(FETCH_DIR)/terraform
 			-ldflags='-w -extldflags=-static' \
 			-o /home/build/$@ \
 	")
+
+$(OUT_DIR)/sops: $(FETCH_DIR)/sops
+	$(call toolchain," \
+		cd $(FETCH_DIR)/sops && \
+		export SSL_CERT_DIR=/etc/ssl/certs && \
+		export GOCACHE=/home/build/$(CACHE_DIR) && \
+		export GOPATH=/home/build/$(CACHE_DIR) && \
+		export CGO_ENABLED=0 && \
+		go build \
+			-v \
+			-trimpath \
+			-ldflags='-w -extldflags=-static' \
+			-o /home/build/$@ \
+			go.mozilla.org/sops/v3/cmd/sops \
+	")
diff --git a/README.md b/README.md
index f1c4048..2082866 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,5 @@ For the purpose of transparency, we include our infrastructure configuration rig
 ## Usage
 
 ```shell
-$ sops exec-env secrets/production.enc.env $(getent passwd $UID | cut -d: -f7)
 $ make
 ```
diff --git a/config/global.env b/config/global.env
index cecb4b5..a93177a 100644
--- a/config/global.env
+++ b/config/global.env
@@ -1,3 +1,5 @@
 DEBIAN_HASH=f9e970d357981f7f5055f89365af980534ce742fc11480c51f929da83aa15980
 TERRAFORM_REF=db6079cfe269803701be9e1a89aeaf9a93714e86
 TERRAFORM_REPO=https://github.com/hashicorp/terraform
+SOPS_REF=e1edc059487ddd14236dfe47267b05052f6c20b4
+SOPS_REPO=https://github.com/mozilla/sops