diff --git a/Makefile b/Makefile
index 5f891c4..48e516f 100644
--- a/Makefile
+++ b/Makefile
@@ -6,6 +6,7 @@ ENVIRONMENT := production
 REGION := sfo3
 ROOT_DIR := $(shell pwd)
 TERRAFORM := $(ROOT_DIR)/out/terraform
+SOPS := $(ROOT_DIR)/out/sops
 KEYS := \
 	6B61ECD76088748C70590D55E90A401336C8AAA9 \
 	88823A75ECAA786B0FF38B148E401478A3FBEF72 \
@@ -59,29 +60,41 @@ infra/main/.terraform: | \
 
 infra/backend/$(ENVIRONMENT).tfstate: \
 	$(OUT_DIR)/terraform \
+	$(OUT_DIR)/sops \
 	infra/backend/.terraform
-	env -C infra/backend $(TERRAFORM) apply \
+	$(SOPS) exec-env secrets/production.enc.env '\
+		env -C infra/backend \
+		$(TERRAFORM) apply \
 		-var environment=$(ENVIRONMENT) \
 		-var namespace=$(ENVIRONMENT) \
 		-var region=$(REGION) \
-		-state ../../$@
+		-state ../../$@ \
+		'
 
 config/$(ENVIRONMENT).tfbackend: | \
 	$(OUT_DIR)/terraform
+	$(OUT_DIR)/sops \
 	# File is not committed and this has no shared state
 	$(MAKE) infra/backend/$(ENVIRONMENT).tfstate
-	env -C infra/backend $(TERRAFORM) \
+	$(SOPS) exec-env secrets/production.enc.env '\
+		env -C infra/backend \
+		$(TERRAFORM) \
 		output -state ../../$< \
-		> $@
+		> $@ \
+		'
 
 .PHONY:
 apply: \
 	$(OUT_DIR)/terraform \
+	$(OUT_DIR)/sops \
 	infra/main/.terraform
-	env -C infra/main $(TERRAFORM) apply \
+	$(SOPS) exec-env secrets/production.enc.env '\
+		env -C infra/main \
+		$(TERRAFORM) apply \
 		-var environment=$(ENVIRONMENT) \
 		-var namespace=$(ENVIRONMENT) \
-		-var region=$(REGION)
+		-var region=$(REGION) \
+		'
 
 $(CACHE_DIR)/secrets:
 	mkdir -p $@