diff --git a/doc/cuirass.texi b/doc/cuirass.texi
index 5b52eaa..62f0a14 100644
--- a/doc/cuirass.texi
+++ b/doc/cuirass.texi
@@ -741,6 +741,10 @@ The list of URLs where to look for substitutes by default.
 Use the specific @var{file}s as the public/private key pair used to sign
 the store items being published.
 
+@item --user=@var{user}
+Change privileges to @var{user} as soon as possible---i.e., once the
+signing key has been read.
+
 @item --version
 @itemx -V
 Display the actual version of @code{cuirass}.
diff --git a/src/cuirass/scripts/remote-worker.scm b/src/cuirass/scripts/remote-worker.scm
index 8fa58b2..c34456c 100644
--- a/src/cuirass/scripts/remote-worker.scm
+++ b/src/cuirass/scripts/remote-worker.scm
@@ -27,6 +27,7 @@
   #:use-module (cuirass logging)
   #:use-module (cuirass remote)
   #:use-module (cuirass ui)
+  #:autoload   (cuirass utils) (gather-user-privileges)
   #:use-module (gcrypt pk-crypto)
   #:use-module (guix avahi)
   #:use-module (guix config)
@@ -96,6 +97,8 @@ Start a remote build worker.\n" (%program-name))
   (display (G_ "
       --substitute-urls=URLS
                             check for available substitutes at URLS"))
+  (display (G_ "
+  -u, --user=USER           change privileges to USER as soon as possible"))
   (display (G_ "
       --public-key=FILE     use FILE as the public key for signatures"))
   (display (G_ "
@@ -116,6 +119,9 @@ Start a remote build worker.\n" (%program-name))
         (option '(#\V "version") #f #f
                 (lambda _
                   (show-version-and-exit "cuirass remote-worker")))
+        (option '(#\u "user") #t #f
+                (lambda (opt name arg result)
+                  (alist-cons 'user arg result)))
         (option '(#\w "workers") #t #f
                 (lambda (opt name arg result)
                   (alist-cons 'workers (string->number* arg) result)))
@@ -463,6 +469,7 @@ exiting."
            (server-address (assoc-ref opts 'server))
            (systems (assoc-ref opts 'systems))
            (urls    (assoc-ref opts 'substitute-urls))
+           (user (assoc-ref opts 'user))
            (public-key
             (read-file-sexp
              (assoc-ref opts 'public-key-file)))
@@ -470,6 +477,12 @@ exiting."
             (read-file-sexp
              (assoc-ref opts 'private-key-file))))
 
+        (when user
+          ;; Now that the private key has been read, drop privileges.
+          (gather-user-privileges user))
+        (when (zero? (getuid))
+          (warning (G_ "running with root privileges, which is not recommended~%")))
+
       ;; Distinguish the worker's GC root directory so that, in case a
       ;; 'cuirass remote-server' process runs on the same machine as a worker,
       ;; the worker's doesn't end up deleting the server's GC roots.