diff --git a/README.md b/README.md
index 8a32e64..9ae2822 100644
--- a/README.md
+++ b/README.md
@@ -798,6 +798,7 @@ in an effort to not break complex setups (e.g. WSL passthrough).
 # ⌨ Environment variables
 
 ## `AGENIX_REKEY_PRIMARY_IDENTITY`
+
 If this environment variable is set to a public key, agenix-rekey will try to find it
 among the explicitly specified or implicitly extracted pubkeys (see `age.rekey.masterIdentities`).
 If it finds a matching pubkey, its associated identity file will be added in front of all
@@ -807,3 +808,9 @@ when it is known that only a specific one is available.
 It also allows PIN caching for Yubikeys other than the first one in the list of master identities
 (see [this issue comment](https://github.com/str4d/age-plugin-yubikey/issues/178#issuecomment-2077003145)).
 The description of [pull request #28](https://github.com/oddlama/agenix-rekey/pull/28) provides further details.
+
+## `AGENIX_REKEY_PRIMARY_IDENTITY_ONLY`
+
+If this environment variable is set to `true`, agenix-rekey will only ever try to decrypt with
+the identity given by `AGENIX_REKEY_PRIMARY_IDENTITY`. This is useful in cases where at least one
+of the other configured master identities is always physically available or in other ways inaccessible.
diff --git a/modules/agenix-rekey.nix b/modules/agenix-rekey.nix
index f613081..6d07109 100644
--- a/modules/agenix-rekey.nix
+++ b/modules/agenix-rekey.nix
@@ -1,6 +1,5 @@
 nixpkgs: {
   lib,
-  options,
   config,
   pkgs,
   ...
@@ -262,6 +261,15 @@ in {
             description = "The true identifier of this secret as used in `age.secrets`.";
           };
 
+          intermediary = {
+            type = types.bool;
+            default = false;
+            description = ''
+              Whether the secret is only required as an intermediary/repository
+              secret and should not be uploaded and decrypted on the host.
+            '';
+          };
+
           rekeyFile = mkOption {
             type = types.nullOr types.path;
             default =
diff --git a/nix/lib.nix b/nix/lib.nix
index 9d4affe..4ae966b 100644
--- a/nix/lib.nix
+++ b/nix/lib.nix
@@ -143,7 +143,11 @@
         ${envPath} ${ageProgram} -e "''${masterIdentityArgs[@]}" ${extraEncryptionPubkeyArgs} "''${@:2}"
       else
         # Prepend primary key argument before all others to it gets the first attempt at decrypting.
-        ${envPath} ${ageProgram} -d "''${primaryIdentityArgs[@]}" ${decryptionMasterIdentityArgs} "''${@:2}"
+        if [[ -n "''${AGENIX_REKEY_PRIMARY_IDENTITY:-}" ]] && [[ "''${AGENIX_REKEY_PRIMARY_IDENTITY_ONLY:-}" == true ]]; then
+          ${envPath} ${ageProgram} -d "''${primaryIdentityArgs[@]}" "''${@:2}"
+        else
+          ${envPath} ${ageProgram} -d "''${primaryIdentityArgs[@]}" ${decryptionMasterIdentityArgs} "''${@:2}"
+        fi
       fi
     '';
   };