diff --git a/home/default.nix b/home/default.nix
index b58e01e..c29a07c 100644
--- a/home/default.nix
+++ b/home/default.nix
@@ -8,6 +8,7 @@
     ./jq.nix
     ./packages.nix
     ./pager.nix
+    ./secrets # Home-manager specific secrets
     ./tmux.nix
     ./zsh
   ];
diff --git a/home/secrets/.gitattributes b/home/secrets/.gitattributes
new file mode 100644
index 0000000..a741d4d
--- /dev/null
+++ b/home/secrets/.gitattributes
@@ -0,0 +1,3 @@
+* filter=git-crypt diff=git-crypt
+.gitattributes !filter !diff
+/default.nix !filter !diff
diff --git a/home/secrets/canary b/home/secrets/canary
new file mode 100644
index 0000000..e910ea3
Binary files /dev/null and b/home/secrets/canary differ
diff --git a/home/secrets/default.nix b/home/secrets/default.nix
new file mode 100644
index 0000000..356c213
--- /dev/null
+++ b/home/secrets/default.nix
@@ -0,0 +1,19 @@
+{ lib, pkgs, ... }:
+
+with lib;
+let
+  canaryHash = builtins.hashFile "sha256" ./canary;
+  expectedHash =
+    "9df8c065663197b5a1095122d48e140d3677d860343256abd5ab6e4fb4c696ab";
+in
+if canaryHash != expectedHash then
+  abort "Secrets are not readable. Have you run `git-crypt unlock`?"
+else {
+  options.my.secrets = mkOption {
+    type = types.attrs;
+  };
+
+  config.my.secrets = {
+    # Home-manager secrets go here
+  };
+}