diff --git a/.gitea/workflows/terraform.yml b/.gitea/workflows/terraform.yml
index b901a23..b46a0c8 100644
--- a/.gitea/workflows/terraform.yml
+++ b/.gitea/workflows/terraform.yml
@@ -48,10 +48,10 @@ jobs:
         env:
           AGE_PUBLIC_KEY: ${{ secrets.AGE_PUBLIC_KEY }}
         run: |
-          # Install age if not present
+          # Install age locally (no sudo in container)
           if ! command -v age &> /dev/null; then
             curl -sL https://github.com/FiloSottile/age/releases/download/v1.1.1/age-v1.1.1-linux-amd64.tar.gz | tar xz
-            sudo mv age/age age/age-keygen /usr/local/bin/
+            export PATH="$PWD/age:$PATH"
           fi
           
           # Extract all setup key values
@@ -77,7 +77,7 @@ jobs:
           
           # Encrypt with age
           if [ -n "$AGE_PUBLIC_KEY" ]; then
-            age -r "$AGE_PUBLIC_KEY" -o setup-keys.json.age setup-keys.json
+            ./age/age -r "$AGE_PUBLIC_KEY" -o setup-keys.json.age setup-keys.json
             rm setup-keys.json
             echo "Setup keys encrypted to setup-keys.json.age"
           else