diff --git a/flake.lock b/flake.lock
index ed8eae3b8..24bbbbbcf 100644
--- a/flake.lock
+++ b/flake.lock
@@ -36,11 +36,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743598667,
-        "narHash": "sha256-ViE7NoFWytYO2uJONTAX35eGsvTYXNHjWALeHAg8OQY=",
+        "lastModified": 1744126564,
+        "narHash": "sha256-v1XPivS/Rvo9BBvF2Rh59HxUpucMsuOCGVrkIObF/bc=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "329d3d7e8bc63dd30c39e14e6076db590a6eabe6",
+        "rev": "8f806681d781ca250ddaafd262d6b6c89d79d9ef",
         "type": "github"
       },
       "original": {
diff --git a/pkgs/clan-cli/clan_cli/secrets/sops.py b/pkgs/clan-cli/clan_cli/secrets/sops.py
index 3f533962c..25f6298d7 100644
--- a/pkgs/clan-cli/clan_cli/secrets/sops.py
+++ b/pkgs/clan-cli/clan_cli/secrets/sops.py
@@ -449,15 +449,20 @@ def decrypt_file(secret_path: Path) -> str:
 
 def get_recipients(secret_path: Path) -> set[SopsKey]:
     sops_attrs = json.loads((secret_path / "secret").read_text())["sops"]
-    return {
-        SopsKey(
-            pubkey=recipient[key_type.sops_recipient_attr],
-            username="",
-            key_type=key_type,
-        )
-        for key_type in KeyType
-        for recipient in sops_attrs[key_type.name.lower()] or []
-    }
+    keys = set()
+    for key_type in KeyType:
+        recipients = sops_attrs.get(key_type.name.lower())
+        if not recipients:
+            continue
+        for recipient in recipients:
+            keys.add(
+                SopsKey(
+                    pubkey=recipient[key_type.sops_recipient_attr],
+                    username="",
+                    key_type=key_type,
+                )
+            )
+    return keys
 
 
 def get_meta(secret_path: Path) -> dict: