diff --git a/pkgs/sops-install-secrets/main.go b/pkgs/sops-install-secrets/main.go
index ddae4da..8612ec9 100644
--- a/pkgs/sops-install-secrets/main.go
+++ b/pkgs/sops-install-secrets/main.go
@@ -45,7 +45,7 @@ type manifest struct {
 	GnupgHome         string   `json:"gnupgHome"`
 }
 
-type secretFile struct {							  
+type secretFile struct {
 	cipherText []byte
 	keys       map[string]interface{}
 	/// First secret that defined this secretFile, used for error messages
@@ -324,25 +324,28 @@ func (app *appContext) validateSecret(secret *secret) error {
 	}
 	secret.mode = os.FileMode(mode)
 
-	owner, err := user.Lookup(secret.Owner)
-	if err != nil {
-		return fmt.Errorf("Failed to lookup user '%s': %s", secret.Owner, err)
-	}
-	ownerNr, err := strconv.ParseUint(owner.Uid, 10, 64)
-	if err != nil {
-		return fmt.Errorf("Cannot parse uid %s: %s", owner.Uid, err)
-	}
-	secret.owner = int(ownerNr)
+	if app.checkMode == Off {
+		// we only access to the user/group during deployment
+		owner, err := user.Lookup(secret.Owner)
+		if err != nil {
+			return fmt.Errorf("Failed to lookup user '%s': %s", secret.Owner, err)
+		}
+		ownerNr, err := strconv.ParseUint(owner.Uid, 10, 64)
+		if err != nil {
+			return fmt.Errorf("Cannot parse uid %s: %s", owner.Uid, err)
+		}
+		secret.owner = int(ownerNr)
 
-	group, err := user.LookupGroup(secret.Group)
-	if err != nil {
-		return fmt.Errorf("Failed to lookup group '%s': %s", secret.Group, err)
+		group, err := user.LookupGroup(secret.Group)
+		if err != nil {
+			return fmt.Errorf("Failed to lookup group '%s': %s", secret.Group, err)
+		}
+		groupNr, err := strconv.ParseUint(group.Gid, 10, 64)
+		if err != nil {
+			return fmt.Errorf("Cannot parse gid %s: %s", group.Gid, err)
+		}
+		secret.group = int(groupNr)
 	}
-	groupNr, err := strconv.ParseUint(group.Gid, 10, 64)
-	if err != nil {
-		return fmt.Errorf("Cannot parse gid %s: %s", group.Gid, err)
-	}
-	secret.group = int(groupNr)
 
 	if secret.Format == "" {
 		secret.Format = "yaml"
diff --git a/pkgs/sops-install-secrets/nixos-test.nix b/pkgs/sops-install-secrets/nixos-test.nix
index 3faaee5..06a78af 100644
--- a/pkgs/sops-install-secrets/nixos-test.nix
+++ b/pkgs/sops-install-secrets/nixos-test.nix
@@ -24,31 +24,36 @@
 
  pgp-keys = makeTest {
    name = "sops-pgp-keys";
-   nodes.server = { pkgs, lib, ... }: {
-     imports = [ ../../modules/sops ];
-      sops.gnupgHome = "/run/gpghome";
-      sops.defaultSopsFile = ./test-assets/secrets.yaml;
-      sops.secrets.test_key.owner = "nobody";
-      # must run before sops
-      system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] ''
-        cp -r ${./test-assets/gnupghome} /run/gpghome
-        chmod -R 700 /run/gpghome
-      '';
-      # Useful for debugging
-      #environment.systemPackages = [ pkgs.gnupg pkgs.sops ];
-      #environment.variables = {
-      #  GNUPGHOME = "/run/gpghome";
-      #  SOPS_GPG_EXEC="${pkgs.gnupg}/bin/gpg";
-      #  SOPSFILE = "${./test-assets/secrets.yaml}";
-      #};
-   };
-   testScript = ''
-     start_all()
-     server.succeed("cat /run/secrets/test_key | grep -q test_value")
-     server.succeed("runuser -u nobody -G keys -- cat /run/secrets/test_key >&2")
-     # should have no permission to read the file
-     server.fail("runuser -u nobody -- cat /run/secrets/test_key >&2")
-   '';
+   nodes.server = { pkgs, lib, config, ... }: {
+     imports = [
+       ../../modules/sops
+     ];
+
+     users.users.someuser.isSystemUser = true;
+
+     sops.gnupgHome = "/run/gpghome";
+     sops.defaultSopsFile = ./test-assets/secrets.yaml;
+     sops.secrets.test_key.owner = config.users.users.someuser.name;
+     # must run before sops
+     system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] ''
+       cp -r ${./test-assets/gnupghome} /run/gpghome
+       chmod -R 700 /run/gpghome
+     '';
+     # Useful for debugging
+     #environment.systemPackages = [ pkgs.gnupg pkgs.sops ];
+     #environment.variables = {
+     #  GNUPGHOME = "/run/gpghome";
+     #  SOPS_GPG_EXEC="${pkgs.gnupg}/bin/gpg";
+     #  SOPSFILE = "${./test-assets/secrets.yaml}";
+     #};
+  };
+  testScript = ''
+    start_all()
+    server.succeed("cat /run/secrets/test_key | grep -q test_value")
+    server.succeed("runuser -u someuser -G keys -- cat /run/secrets/test_key >&2")
+    # should have no permission to read the file
+    server.fail("runuser -u someuser -- cat /run/secrets/test_key >&2")
+  '';
  } {
    inherit pkgs;
  };