diff --git a/Makefile b/Makefile
index ecc43f9..93901ed 100644
--- a/Makefile
+++ b/Makefile
@@ -5,13 +5,6 @@ BACKEND_TF := $(wildcard infra/backend/*.tf)
 MAIN_TF := $(wildcard infra/main/*.tf)
 ENVIRONMENT := production
 REGION := sfo3
-ROOT_DIR := $(shell pwd)
-KEYS := \
-	6B61ECD76088748C70590D55E90A401336C8AAA9 \
-	88823A75ECAA786B0FF38B148E401478A3FBEF72 \
-	3D7C8D39E8C4DF771583D3F0A8A091FD346001CA \
-	F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D
-
 EXTRA_ARGS :=
 GPG_TTY ?= $(shell tty)
 PLATFORM ?= linux/amd64
@@ -19,7 +12,6 @@ PROGRESS ?= auto
 REGISTRY ?= git.distrust.co/public
 VERSION := latest
 SHELL=/bin/bash
-SOPS := sops
 
 ifeq ($(NOCACHE), 1)
 NOCACHE_FLAG=--no-cache
@@ -30,6 +22,12 @@ export NOCACHE_FLAG
 
 include $(PWD)/src/make/macros.mk
 
+TALOS_SECRETS := \
+	infra/main/talos/controlplane.yaml \
+	infra/main/talos/worker.yaml \
+	infra/main/talos/kubeconfig \
+	infra/main/talos/talosconfig
+
 .ONESHELL:
 
 .DEFAULT_GOAL :=
@@ -48,10 +46,6 @@ out:
 shell: build-tools load-tools
 	$(call run-container, -v $${PWD}:/home/user/stack:rw, $(REGISTRY)/tools:latest, /bin/bash)
 
-.PHONY: credentials
-credentials: \
-	$(CACHE_DIR)/secrets/credentials.tfvars
-
 infra/backend/.terraform: $(BACKEND_TF)
 	sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
 		tofu -chdir=infra/backend init -upgrade && \
@@ -63,7 +57,8 @@ infra/backend/.terraform: $(BACKEND_TF)
 
 infra/main/.terraform: \
                        config/$(ENVIRONMENT).tfbackend \
-                       $(MAIN_TF)
+                       $(MAIN_TF) \
+                       $(TALOS_SECRETS)
 	sops exec-env secrets/$(ENVIRONMENT).enc.env -- '\
 		tofu -chdir=infra/main init -upgrade \
 			-backend-config="../../config/$(ENVIRONMENT).tfbackend" && \
@@ -109,14 +104,17 @@ infra/main/talos:
 	mkdir -p $@
 
 infra/main/talos/%: secrets/$(ENVIRONMENT).% | infra/main/talos
-	$(SOPS) --decrypt $< > $@
+	sops --decrypt $< > $@ && \
+	touch -r $< $@ || true
+
+secrets/$(ENVIRONMENT).%: infra/main/talos/%
+	sops --encrypt $< > $@ && \
+	touch -r $< $@ || true
 
 .PHONY: tofu-plan
-tofu-plan: infra/main/.terraform
-	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig)
-	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig)
-	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml)
-	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml)
+tofu-plan: \
+	infra/main/.terraform \
+	$(TALOS_SECRETS)
 	sops exec-env secrets/$(ENVIRONMENT).enc.env -- \
 	'tofu -chdir=infra/main plan \
 		-var environment=$(ENVIRONMENT) \
@@ -130,16 +128,10 @@ tofu-plan: infra/main/.terraform
 
 .PHONY: tofu-apply
 tofu-apply: \
-	$(TERRAFORM) \
-	$(SOPS) \
 	infra/main/.terraform
-	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).talosconfig,infra/main/talos/talosconfig)
-	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).kubeconfig,infra/main/talos/kubeconfig)
-	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).controlplane.yaml,infra/main/talos/controlplane.yaml)
-	$(call maybe_decrypt_secret,secrets/$(ENVIRONMENT).worker.yaml,infra/main/talos/worker.yaml)
-	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
+	sops exec-env secrets/$(ENVIRONMENT).enc.env '\
 		env -C infra/main \
-		$(TERRAFORM) apply \
+		tofu apply \
 		-var environment=$(ENVIRONMENT) \
 		-var namespace=$(ENVIRONMENT) \
 		-var region=$(REGION) \
diff --git a/src/make/macros.mk b/src/make/macros.mk
index 1479e72..5589017 100644
--- a/src/make/macros.mk
+++ b/src/make/macros.mk
@@ -5,19 +5,16 @@
 define maybe_encrypt_secret
 	test \( -f $(1) -a -f $(2) -a $(1) -nt $(2) \) -o \
 		\( -f $(1) -a ! -f $(2) \) && \
-		$(SOPS) --encrypt $(1) > $(2) || true
+		sops --encrypt $(1) > $(2) || true
 endef
 
-# Only decrypt when local files don't exist
-# Unfortunately, this means we can't decrypt if the secrets update. We can't
-# do that because otherwise it creates a loop. The secrets update, therefore we
-# decrypt secrets, but because the modtime of the decrypted secrets is newer
-# than the encrypted secrets, we want to reencrypt encrypted secrets.
+# Decrypt if the file is missing or older than it's encrypted counterpart.
+# When a decryption is done, set the files age to be the same as it's encrypted counterpart.
 define maybe_decrypt_secret
 	test -f $(1) -a ! -f $(2) && \
-		mkdir -p `dirname $(2)` && \
-		$(SOPS) --decrypt $(1) > $(2) && \
-		touch -d 1970-01-01 $(2) || \
+		mkdir -p $(dir $(2)) && \
+		sops --decrypt $(1) > $(2) && \
+		touch -r $(1) $(2) || \
 		true
 endef