diff --git a/pkgs/clan-cli/clan_cli/secrets/__init__.py b/pkgs/clan-cli/clan_cli/secrets/__init__.py
index 3c161d3..4515bcf 100644
--- a/pkgs/clan-cli/clan_cli/secrets/__init__.py
+++ b/pkgs/clan-cli/clan_cli/secrets/__init__.py
@@ -1,6 +1,7 @@
 # !/usr/bin/env python3
 import argparse
 
+from .deploy import register_deploy_parser
 from .generate import register_generate_parser
 from .groups import register_groups_parser
 from .import_sops import register_import_sops_parser
@@ -36,6 +37,9 @@ def register_parser(parser: argparse.ArgumentParser) -> None:
     )
     register_generate_parser(parser_generate)
 
+    parser_deploy = subparser.add_parser("deploy", help="deploy secrets for machines")
+    register_deploy_parser(parser_deploy)
+
     parser_key = subparser.add_parser("key", help="create and show age keys")
     register_key_parser(parser_key)
 
diff --git a/pkgs/clan-cli/clan_cli/secrets/deploy.py b/pkgs/clan-cli/clan_cli/secrets/deploy.py
new file mode 100644
index 0000000..16c1a1c
--- /dev/null
+++ b/pkgs/clan-cli/clan_cli/secrets/deploy.py
@@ -0,0 +1,53 @@
+import argparse
+import subprocess
+import sys
+
+from clan_cli.errors import ClanError
+
+from ..dirs import get_clan_flake_toplevel
+
+
+def deploy_secrets(machine: str) -> None:
+    clan_flake = get_clan_flake_toplevel()
+    proc = subprocess.run(
+        [
+            "nix",
+            "build",
+            "--impure",
+            "--print-out-paths",
+            "--expr",
+            f'let f = builtins.getFlake "{clan_flake}"; in '
+            "(f.nixosConfigurations."
+            f"{machine}"
+            ".extendModules { modules = [{ clanCore.clanDir = "
+            f"{clan_flake}"
+            "; }]; }).config.system.clan.deploySecrets",
+        ],
+        capture_output=True,
+        text=True,
+    )
+    if proc.returncode != 0:
+        print(proc.stderr, file=sys.stderr)
+        raise ClanError(f"failed to deploy secrets:\n{proc.stderr}")
+
+    secret_deploy_script = proc.stdout.strip()
+    secret_deploy = subprocess.run(
+        [secret_deploy_script],
+    )
+
+    if secret_deploy.returncode != 0:
+        raise ClanError("failed to deploy secrets")
+    else:
+        print("successfully deployed secrets")
+
+
+def deploy_command(args: argparse.Namespace) -> None:
+    deploy_secrets(args.machine)
+
+
+def register_deploy_parser(parser: argparse.ArgumentParser) -> None:
+    parser.add_argument(
+        "machine",
+        help="The machine to deploy secrets to",
+    )
+    parser.set_defaults(func=deploy_command)