diff --git a/misc/vault-keyring-client.sh b/misc/vault-keyring-client.sh
index 23ac7106..4f24f902 100755
--- a/misc/vault-keyring-client.sh
+++ b/misc/vault-keyring-client.sh
@@ -1,2 +1,8 @@
 #!/bin/sh
-exec gpg --batch --decrypt --quiet "$(dirname $0)/vault-$2-password.gpg"
+
+readonly vault_password_file_encrypted="$(dirname $0)/vault-$2-password.gpg"
+
+# often getting "gpg: decryption failed: No secret key" in tf-stage2
+# seems to work with flock (issue last reproduced with gnupg 2.2.35)
+flock "$vault_password_file_encrypted" \
+  gpg --batch --decrypt --quiet "$vault_password_file_encrypted"