diff --git a/default.nix b/default.nix
index 63abb9b1..dedab3e8 100644
--- a/default.nix
+++ b/default.nix
@@ -14,6 +14,9 @@ rec {
 
   sops-import-keys-hook = pkgs.callPackage ./pkgs/sops-import-keys-hook { };
 
+  age-fido2-hmac = pkgs.callPackage ./pkgs/age-fido2-hmac {};
+  sops-fido2-hmac = pkgs.callPackage ./pkgs/sops-fido2-hmac {};
+
   # backwards compatibility
   inherit (pkgs) ssh-to-pgp;
 
diff --git a/modules/sops/default.nix b/modules/sops/default.nix
index 860a9a95..ff9f1809 100644
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@@ -319,6 +319,14 @@ in
         '';
       };
 
+      plugins = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [];
+        description = ''
+          List of plugins to use for sops decryption.
+        '';
+      };
+
       generateKey = lib.mkOption {
         type = lib.types.bool;
         default = false;
@@ -431,6 +439,7 @@ in
       sops.environment.SOPS_GPG_EXEC = lib.mkIf (cfg.gnupg.home != null || cfg.gnupg.sshKeyPaths != [ ]) (
         lib.mkDefault "${pkgs.gnupg}/bin/gpg"
       );
+      sops.environment.PATH= lib.makeBinPath cfg.age.plugins;
 
       # When using sysusers we no longer are started as an activation script because those are started in initrd while sysusers is started later.
       systemd.services.sops-install-secrets = lib.mkIf (regularSecrets != { } && useSystemdActivation) {
diff --git a/pkgs/age-fido2-hmac/default.nix b/pkgs/age-fido2-hmac/default.nix
new file mode 100644
index 00000000..4dae7753
--- /dev/null
+++ b/pkgs/age-fido2-hmac/default.nix
@@ -0,0 +1,14 @@
+{ age-plugin-fido2-hmac
+, runCommand
+, makeWrapper
+, lib
+, age
+}:
+
+runCommand "age" {
+  nativeBuildInputs = [ makeWrapper ];
+} ''
+  mkdir -p $out/bin
+  makeWrapper ${age}/bin/age $out/bin/age \
+    --prefix PATH : ${lib.makeBinPath [ age-plugin-fido2-hmac ]}
+''
\ No newline at end of file
diff --git a/pkgs/sops-fido2-hmac/default.nix b/pkgs/sops-fido2-hmac/default.nix
new file mode 100644
index 00000000..288255bb
--- /dev/null
+++ b/pkgs/sops-fido2-hmac/default.nix
@@ -0,0 +1,38 @@
+{
+  sops,
+  fetchFromGitHub,
+  buildGoModule,
+  age-plugin-fido2-hmac,
+  makeWrapper
+}:
+
+let
+  version = "2024-11-23";
+in
+buildGoModule {
+  pname = "sops-fido2-hmac";
+  inherit version;
+  src = fetchFromGitHub {
+    owner = "brianmcgee";
+    repo = "sops";
+    rev = "0607eae847f1ae21205b5e2a919de6d5868f6395";
+    sha256 = "sha256-mWsIg9TXGlA8EuFD7Pb0w8PsD3LvCMCy1X9OTITxvsU=";
+  };
+  vendorHash = "sha256-NS0b25NQEJle///iRHAG3uTC5p6rlGSyHVwEESki3p4=";
+
+  subPackages = [ "cmd/sops" ];
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/getsops/sops/v3/version.Version=${version}"
+  ];
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  postInstall = ''
+    wrapProgram $out/bin/sops --prefix PATH : ${age-plugin-fido2-hmac}/bin
+  '';
+
+  inherit (sops) meta;
+}
\ No newline at end of file