diff --git a/modules/sops/default.nix b/modules/sops/default.nix
index 255e73a..3d361c1 100644
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@@ -312,7 +312,7 @@ in {
         }]) cfg.secrets)
       );
 
-      sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null) (lib.mkDefault "${pkgs.gnupg}/bin/gpg");
+      sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != []) (lib.mkDefault "${pkgs.gnupg}/bin/gpg");
 
       # When using sysusers we no longer be started as an activation script because those are started in initrd while sysusers is started later.
       systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && sysusersEnabled) {