diff --git a/pkgs/sane-scripts/default.nix b/pkgs/sane-scripts/default.nix
index 3f392a0f..81b9cab0 100644
--- a/pkgs/sane-scripts/default.nix
+++ b/pkgs/sane-scripts/default.nix
@@ -20,6 +20,7 @@ resholve.mkDerivation {
       inputs = with pkgs; [
         coreutils
         curl
+        duplicity
         file
         findutils
         gnugrep
@@ -39,6 +40,7 @@ resholve.mkDerivation {
         which
       ];
       keep = {
+        "/run/secrets/duplicity_passphrase" = true;
         # we write here: keep it
         "/tmp/rmlint.sh" = true;
         # intentionally escapes (into user code)
@@ -58,6 +60,7 @@ resholve.mkDerivation {
 
       # list of programs which *can* or *cannot* exec their arguments
       execer = with pkgs; [
+        "cannot:${duplicity}/bin/duplicity"
         "cannot:${gocryptfs}/bin/gocryptfs"
         "cannot:${ifuse}/bin/ifuse"
         "cannot:${oath-toolkit}/bin/oathtool"
diff --git a/pkgs/sane-scripts/src/sane-backup-ls b/pkgs/sane-scripts/src/sane-backup-ls
new file mode 100755
index 00000000..23279d6f
--- /dev/null
+++ b/pkgs/sane-scripts/src/sane-backup-ls
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# N.B. must be run as root
+
+set -ex
+
+# source the URL; hack to satisfy resholve
+external_cmd="source /run/secrets/duplicity_passphrase"
+$external_cmd
+duplicity list-current-files --archive-dir /var/lib/duplicity $DUPLICITY_URL