diff --git a/pkgs/sane-scripts/src/bin/sane-unlock-secrets b/pkgs/sane-scripts/src/bin/sane-unlock-secrets
new file mode 100755
index 00000000..a767a346
--- /dev/null
+++ b/pkgs/sane-scripts/src/bin/sane-unlock-secrets
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# unlocks the SOPS store (i.e. populate a SOPS key from the user's SSH key)
+set -ex
+
+mkdir -p ~/.config/sops/age
+
+# unlock the SSH key
+cp ~/.ssh/id_ed25519 ~/.config/sops/age/id_ed25519
+ssh-keygen -p -N "" -f ~/.config/sops/age/id_ed25519
+# convert ssh -> age
+ssh-to-age -private-key -i ~/.config/sops/age/id_ed25519 > ~/.config/sops/age/keys.txt
+chmod 600 ~/.config/sops/age/keys.txt
+
+# remove the unlocked SSH key
+rm ~/.config/sops/age/id_ed25519
+
+# present the pubkey for convenience (e.g. if this sops key is new)
+echo pubkey: $(cat ~/.ssh/id_ed25519.pub | ssh-to-age)