diff --git a/linux/Dockerfile b/linux/Dockerfile
index f59dbe5..8db3ef0 100644
--- a/linux/Dockerfile
+++ b/linux/Dockerfile
@@ -30,6 +30,9 @@ RUN --mount=target=/build/script.sh,source=/build/tools/04-gcloud.sh /build/scri
 FROM tools-base AS tools-asdf
 RUN --mount=target=/build/script.sh,source=/build/tools/06-asdf.sh /build/script.sh
 
+FROM tools-base AS tools-sops
+RUN --mount=target=/build/script.sh,source=/build/tools/07-sops.sh /build/script.sh
+
 FROM tools-base AS tools-runner
 RUN --mount=target=/build/script.sh,source=/build/tools/99-runner.sh /build/script.sh
 
@@ -44,6 +47,8 @@ COPY --from=tools-gcloud --link /var/runner /var/runner
 COPY --from=tools-gcloud --link /etc/profile.d /etc/profile.d
 COPY --from=tools-asdf --link /var/runner /var/runner
 COPY --from=tools-asdf --link /etc/profile.d /etc/profile.d
+COPY --from=tools-sops --link /var/runner /var/runner
+COPY --from=tools-sops --link /etc/profile.d /etc/profile.d
 COPY --from=tools-runner --link /var/runner /var/runner
 COPY --from=tools-runner --link /etc/profile.d /etc/profile.d
 COPY --from=tools-runner --link /runner /runner
diff --git a/linux/build/tools/07-sops.sh b/linux/build/tools/07-sops.sh
new file mode 100755
index 0000000..a9a7caf
--- /dev/null
+++ b/linux/build/tools/07-sops.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/bash
+set -euxo pipefail
+mkdir -p /var/runner/tools/sops
+
+curl -fsSL \
+    "https://github.com/getsops/sops/releases/download/v3.12.2/sops-v3.12.2.linux.amd64" \
+    -o /var/runner/tools/sops/sops
+chmod +x /var/runner/tools/sops/sops
+
+cat <<EOF | sudo tee /etc/profile.d/20-sops.sh
+export PATH="\$PATH:/var/runner/tools/sops"
+EOF
diff --git a/macOS/volumes/setup/scripts/04-homebrew-pkgs.sh b/macOS/volumes/setup/scripts/04-homebrew-pkgs.sh
index f1b04d6..2fbf374 100755
--- a/macOS/volumes/setup/scripts/04-homebrew-pkgs.sh
+++ b/macOS/volumes/setup/scripts/04-homebrew-pkgs.sh
@@ -12,6 +12,7 @@ brew install \
     "gnu-tar" \
     "jq" \
     "ruby" \
+    "sops" \
     "wget" \
     "zstd"