diff --git a/home/hosts/andromache/default.nix b/home/hosts/andromache/default.nix
index 697fed5f..8989fbd6 100644
--- a/home/hosts/andromache/default.nix
+++ b/home/hosts/andromache/default.nix
@@ -64,6 +64,7 @@
   };
   anki.enable = true;
   k8s.k9s.enable = true;
+  secrets.enable = true;
   taskwarrior.enable = true;
   audio.enable = true;
   ssh.enable = true;
diff --git a/home/hosts/astyanax/default.nix b/home/hosts/astyanax/default.nix
index be86243d..5699a3e7 100644
--- a/home/hosts/astyanax/default.nix
+++ b/home/hosts/astyanax/default.nix
@@ -60,6 +60,7 @@
   };
   anki.enable = true;
   k8s.k9s.enable = true;
+  secrets.enable = true;
   taskwarrior.enable = true;
   secrets.enable = true;
   my.yubikey.enable = true;
diff --git a/home/hosts/work/default.nix b/home/hosts/work/default.nix
index 8e8cbaed..649d4e83 100644
--- a/home/hosts/work/default.nix
+++ b/home/hosts/work/default.nix
@@ -96,6 +96,7 @@
   my.stylix.enable = true;
   git.github.enable = true;
   git.gitlab.enable = true;
+  secrets.enable = true;
   secrets.vault.enable = true;
   bruno.enable = true;
   docker.enable = true;
diff --git a/home/modules/secrets/default.nix b/home/modules/secrets/default.nix
index 3cd0ca67..0130bdd0 100644
--- a/home/modules/secrets/default.nix
+++ b/home/modules/secrets/default.nix
@@ -1,13 +1,19 @@
 {
+  config,
+  lib,
   pkgs,
   ...
 }:
 {
   imports = [ ./vault.nix ];
 
-  home.packages = with pkgs; [
-    age
-    age-plugin-yubikey # TODO: only needed when using Yubikey
-    sops
-  ];
+  options.secrets.enable = lib.mkEnableOption "secrets";
+
+  config = lib.mkIf config.secrets.enable {
+    home.packages = with pkgs; [
+      age
+      age-plugin-yubikey
+      sops
+    ];
+  };
 }
diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix
index d5c33570..3fdc697a 100644
--- a/modules/secrets/default.nix
+++ b/modules/secrets/default.nix
@@ -18,6 +18,8 @@ in
 
   options = {
     secrets = {
+      enable = lib.mkEnableOption "secrets management";
+
       sopsDir = lib.mkOption {
         type = lib.types.str;
         default = "${toString inputs.nix-secrets}/secrets";
@@ -42,7 +44,7 @@ in
     };
   };
 
-  config = {
+  config = lib.mkIf cfg.enable {
     secrets = {
       inherit owner;
       groups = {
@@ -55,10 +57,6 @@ in
     };
 
     sops = {
-      # for yubikey, generate as follows:
-      # ```
-      # age-plugin-yubikey --identity > <keyfile-path>
-      # ```
       age.keyFile = "/home/${username}/.config/sops/age/keys.txt";
       secrets = myUtils.mkSopsSecrets sopsDir owner cfg.groups;
     };
@@ -68,7 +66,7 @@ in
     ];
 
     services = {
-      pcscd.enable = true; # needed for age-plugin-yubikey?
+      pcscd.enable = true;
       udev.packages = lib.mkIf cfg.yubikey.enable [
         pkgs.yubikey-personalization
         pkgs.libfido2