diff --git a/flake.nix b/flake.nix
index 06f22f9..a82af9f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -132,6 +132,7 @@
         nix-remove-result-links
         nixfiles-auto-install
         nixfiles-generate-config
+        nixfiles-generate-backup-secrets
         nixfiles-update-ssh-host-keys
         print-afra
         ssh-gpg
diff --git a/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix b/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix
index 9c2885e..47253ab 100644
--- a/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix
+++ b/pkgs/nixfiles/nixfiles-generate-backup-secrets.nix
@@ -4,7 +4,7 @@ pkgs.writeShellApplication {
   name = "nixfiles-generate-backup-secrets";
   text = builtins.readFile ./nixfiles-generate-backup-secrets.sh;
   runtimeInputs = with pkgs; [
-    agenix
+    clerie-sops-edit
     apacheHttpd
     git
     pwgen
diff --git a/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh b/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh
index 28dcb42..9286c26 100755
--- a/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh
+++ b/pkgs/nixfiles/nixfiles-generate-backup-secrets.sh
@@ -12,21 +12,9 @@ target_cyan_htpasswd="$(htpasswd -nbB "${host}" "${target_cyan}")"
 target_magenta="$(pwgen -1 64 1)"
 target_magenta_htpasswd="$(htpasswd -nbB "${host}" "${target_magenta}")"
 
-mkdir -p "hosts/${host}/secrets"
+echo "$job_main" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-job-main"
+echo "$target_cyan" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-cyan"
+echo "$target_magenta" | clerie-sops-edit "hosts/${host}/secrets.json" set "clerie-backup-target-magenta"
 
-echo "$job_main" | agenix -e "hosts/${host}/secrets/new"
-mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-job-main.age"
-
-echo "$target_cyan" | agenix -e "hosts/${host}/secrets/new"
-mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-cyan.age"
-
-echo "$target_magenta" | agenix -e "hosts/${host}/secrets/new"
-mv "hosts/${host}/secrets/new" "hosts/${host}/secrets/clerie-backup-target-magenta.age"
-
-prev_htpasswd_cyan="$(agenix -d hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age)"
-cat <(echo "$prev_htpasswd_cyan") <(echo "$target_cyan_htpasswd") | agenix -e "hosts/clerie-backup/secrets/new"
-mv "hosts/clerie-backup/secrets/new" "hosts/clerie-backup/secrets/restic-server-cyan-htpasswd.age"
-
-prev_htpasswd_magenta="$(agenix -d "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age")"
-cat <(echo "$prev_htpasswd_magenta") <(echo "$target_magenta_htpasswd") | agenix -e "hosts/backup-4/secrets/new"
-mv "hosts/backup-4/secrets/new" "hosts/backup-4/secrets/restic-server-magenta-htpasswd.age"
+echo "${target_cyan_htpasswd}" | clerie-sops-edit "hosts/clerie-backup/secrets.json" append "restic-server-cyan-htpasswd"
+echo "$target_magenta_htpasswd" | clerie-sops-edit "hosts/backup-4/secrets.json" append "restic-server-magenta-htpasswd"
diff --git a/pkgs/overlay.nix b/pkgs/overlay.nix
index 4f53201..97c7fdf 100644
--- a/pkgs/overlay.nix
+++ b/pkgs/overlay.nix
@@ -11,6 +11,7 @@ final: prev: {
   nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
   nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
   nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
+  nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
   nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
   print-afra = final.callPackage ./print-afra {};
   ssh-gpg = final.callPackage ./ssh-gpg {};