diff --git a/terraform/all-in-one.md b/terraform/all-in-one.md
index 9c060498..2ed356ff 100644
--- a/terraform/all-in-one.md
+++ b/terraform/all-in-one.md
@@ -48,7 +48,7 @@ mkdir -p etc/ssh var/lib/secrets
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 
 umask 0177
-sops --extract '["initrd_ssh_key"]' -d "$SCRIPT_DIR/secrets.yaml" >./var/lib/secrets/initrd_ssh_key
+sops --extract '["initrd_ssh_key"]' --decrypt "$SCRIPT_DIR/secrets.yaml" >./var/lib/secrets/initrd_ssh_key
 
 # restore umask
 umask 0022
@@ -59,7 +59,7 @@ for keyname in ssh_host_rsa_key ssh_host_rsa_key.pub ssh_host_ed25519_key ssh_ho
   else
     umask 0177
   fi
-  sops --extract '["'$keyname'"]' -d "$SCRIPT_DIR/secrets.yaml" >"./etc/ssh/$keyname"
+  sops --extract '["'$keyname'"]' --decrypt "$SCRIPT_DIR/secrets.yaml" >"./etc/ssh/$keyname"
 done
 ```
 
@@ -72,7 +72,7 @@ set -euo pipefail
 
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 cd "$SCRIPT_DIR"
-sops --extract '["zfs-key"]' -d "$SCRIPT_DIR/secrets.yaml" >"./etc/ssh/$keyname"
+sops --extract '["zfs-key"]' --decrypt "$SCRIPT_DIR/secrets.yaml"
 ```
 
 ## See also