diff --git a/tools/secretstore.py b/tools/secretstore.py
index fc5b3a25..f775d4af 100644
--- a/tools/secretstore.py
+++ b/tools/secretstore.py
@@ -46,13 +46,20 @@ class SecretStore(object):
         return os.path.exists(c) or os.path.exists(p)
 
     def plaintext(self, suffix):
-        return os.path.join(self.proot, suffix)
+        p = os.path.join(self.proot, suffix)
+        c = os.path.join(self.croot, suffix)
+
+        if not os.path.exists(p) or os.path.getctime(p) < os.path.getctime(c):
+            logger.info("Decrypting {} ({})...".format(suffix, c))
+            decrypt(c, p)
+
+        return p
 
     def open(self, suffix, mode, *a, **kw):
         p = os.path.join(self.proot, suffix)
         c = os.path.join(self.croot, suffix)
         if 'w' in mode:
-            return open(p, mode, *a, *kw)
+            return open(p, mode, *a, **kw)
 
         if not self.exists(suffix):
             raise SecretStoreMissing("Secret {} does not exist".format(suffix))