diff --git a/modules/age-home.nix b/modules/age-home.nix
index c8135b24..e764fcc4 100644
--- a/modules/age-home.nix
+++ b/modules/age-home.nix
@@ -84,10 +84,12 @@ with lib; let
     }
   '';
 
+  enabledSecrets = lib.filter (s: s.enable) (builtins.attrValues cfg.secrets);
+
   installSecrets = builtins.concatStringsSep "\n" (
     ["echo '[agenix] decrypting secrets...'"]
     ++ testIdentities
-    ++ (map installSecret (builtins.attrValues cfg.secrets))
+    ++ (map installSecret enabledSecrets)
     ++ [cleanupAndLink]
   );
 
@@ -97,6 +99,11 @@ with lib; let
     ...
   }: {
     options = {
+      enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Whether to include and decrypt this secret";
+      };
       name = mkOption {
         type = types.str;
         default = name;
@@ -155,6 +162,8 @@ with lib; let
     '';
 in {
   options.age = {
+    enable = mkEnableOption "agenix" // {default = cfg.secrets != {};};
+
     package = mkPackageOption pkgs "age" {};
 
     secrets = mkOption {
@@ -200,7 +209,7 @@ in {
     };
   };
 
-  config = mkIf (cfg.secrets != {}) {
+  config = mkIf cfg.enable {
     assertions = [
       {
         assertion = cfg.identityPaths != [];
diff --git a/modules/age.nix b/modules/age.nix
index a9064e6f..7c37f8d2 100644
--- a/modules/age.nix
+++ b/modules/age.nix
@@ -111,10 +111,12 @@ with lib; let
     }
   '';
 
+  enabledSecrets = lib.filter (s: s.enable) (builtins.attrValues cfg.secrets);
+
   installSecrets = builtins.concatStringsSep "\n" (
     ["echo '[agenix] decrypting secrets...'"]
     ++ testIdentities
-    ++ (map installSecret (builtins.attrValues cfg.secrets))
+    ++ (map installSecret enabledSecrets)
     ++ [cleanupAndLink]
   );
 
@@ -126,11 +128,18 @@ with lib; let
   chownSecrets = builtins.concatStringsSep "\n" (
     ["echo '[agenix] chowning...'"]
     ++ [chownMountPoint]
-    ++ (map chownSecret (builtins.attrValues cfg.secrets))
+    ++ (map chownSecret enabledSecrets)
   );
 
   secretType = types.submodule ({config, ...}: {
     options = {
+      enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to include and decrypt this secret
+        '';
+      };
       name = mkOption {
         type = types.str;
         default = config._module.args.name;
@@ -188,6 +197,7 @@ in {
   ];
 
   options.age = {
+    enable = mkEnableOption "agenix" // {default = cfg.secrets != {};};
     ageBin = mkOption {
       type = types.str;
       default = "${pkgs.age}/bin/age";
@@ -252,7 +262,7 @@ in {
     };
   };
 
-  config = mkIf (cfg.secrets != {}) (mkMerge [
+  config = mkIf cfg.enable (mkMerge [
     {
       assertions = [
         {