diff --git a/pkgs/sane-scripts/src/bin/sane-dump-secret b/pkgs/sane-scripts/src/bin/sane-secrets-dump
similarity index 100%
rename from pkgs/sane-scripts/src/bin/sane-dump-secret
rename to pkgs/sane-scripts/src/bin/sane-secrets-dump
diff --git a/pkgs/sane-scripts/src/bin/sane-unlock-secrets b/pkgs/sane-scripts/src/bin/sane-secrets-unlock
similarity index 100%
rename from pkgs/sane-scripts/src/bin/sane-unlock-secrets
rename to pkgs/sane-scripts/src/bin/sane-secrets-unlock
diff --git a/pkgs/sane-scripts/src/bin/sane-secrets-update-keys b/pkgs/sane-scripts/src/bin/sane-secrets-update-keys
new file mode 100755
index 00000000..9179e33f
--- /dev/null
+++ b/pkgs/sane-scripts/src/bin/sane-secrets-update-keys
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# after modifying .sops.yaml, run this to re-encode all secrets to the new keys
+# pass the base directory (under which *everything* is a secret) as argument
+for i in $1/**/*
+do
+	yes | sops updatekeys "$i"
+done