diff --git a/deploy/build.sh b/deploy/build.sh
index e5fbdde..a04292f 100755
--- a/deploy/build.sh
+++ b/deploy/build.sh
@@ -6,6 +6,7 @@ source deploy/env.sh
 
 AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-$HOME/.config/age/keys.txt}"
 AGE_RECIPIENT="age1hkehkc2rryjl975c2mg5cghmjr54n4wjshncl292h2eg5l394fhs4uydrh"
+ENCRYPTED_SECRETS_FILE="${ENCRYPTED_SECRETS_FILE:-$PWD/creds/secrets.enc.env}"
 
 require_cmd() {
   local cmd="$1"
@@ -63,6 +64,15 @@ EOF
     fi
     exit 1
   fi
+
+  export SOPS_AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-$AGE_KEY_FILE}"
+  if [[ -f "$ENCRYPTED_SECRETS_FILE" ]]; then
+    if ! sops -d "$ENCRYPTED_SECRETS_FILE" >/dev/null 2>&1; then
+      echo "sops could not decrypt $ENCRYPTED_SECRETS_FILE with the configured keys." >&2
+      echo "Export SOPS_AGE_KEY_FILE to point at the correct key (e.g., creds/age-key.txt)." >&2
+      exit 1
+    fi
+  fi
 }
 
 echo "Running pre-flight checks..."