diff --git a/Scripts/_burrow-secrets.sh b/Scripts/_burrow-secrets.sh
index 2ecd282..9ebd1f5 100644
--- a/Scripts/_burrow-secrets.sh
+++ b/Scripts/_burrow-secrets.sh
@@ -3,6 +3,38 @@ set -euo pipefail
 
 BURROW_SECRET_TMPFILES=()
 
+burrow_secret_repo_path() {
+  local repo_root="$1"
+  local secret_path="$2"
+
+  case "${secret_path}" in
+    "${repo_root}"/*)
+      printf '%s\n' "${secret_path#${repo_root}/}"
+      ;;
+    *)
+      printf '%s\n' "${secret_path}"
+      ;;
+  esac
+}
+
+burrow_agenix_identity_path() {
+  local repo_root="$1"
+  local candidate
+
+  for candidate in \
+    "${BURROW_AGE_IDENTITY:-}" \
+    "${BURROW_FORGE_SSH_KEY:-}" \
+    "${repo_root}/intake/agent_at_burrow_net_ed25519" \
+    "${HOME}/.ssh/agent_at_burrow_net_ed25519" \
+    "${HOME}/.ssh/id_ed25519"
+  do
+    if [[ -n "${candidate}" && -f "${candidate}" ]]; then
+      printf '%s\n' "${candidate}"
+      return 0
+    fi
+  done
+}
+
 burrow_cleanup_secret_tmpfiles() {
   local path
   for path in "${BURROW_SECRET_TMPFILES[@]:-}"; do
@@ -14,15 +46,23 @@ burrow_cleanup_secret_tmpfiles() {
 burrow_decrypt_age_secret_to_temp() {
   local repo_root="$1"
   local secret_path="$2"
+  local agenix_path
+  local identity_path
   local tmp_file
 
   if [[ ! -f "${secret_path}" ]]; then
     echo "age secret not found: ${secret_path}" >&2
     return 1
   fi
+  agenix_path="$(burrow_secret_repo_path "${repo_root}" "${secret_path}")"
+  identity_path="$(burrow_agenix_identity_path "${repo_root}")"
 
   tmp_file="$(mktemp "${TMPDIR:-/tmp}/burrow-secret.XXXXXX")"
-  nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -d "${secret_path}" > "${tmp_file}"
+  if [[ -n "${identity_path}" ]]; then
+    nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -d "${agenix_path}" -i "${identity_path}" > "${tmp_file}"
+  else
+    nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -d "${agenix_path}" > "${tmp_file}"
+  fi
   chmod 600 "${tmp_file}"
   BURROW_SECRET_TMPFILES+=("${tmp_file}")
   printf '%s\n' "${tmp_file}"
@@ -66,13 +106,23 @@ burrow_encrypt_secret_from_file() {
   local repo_root="$1"
   local secret_path="$2"
   local source_path="$3"
+  local agenix_path
+  local identity_path
 
   if [[ ! -s "${source_path}" ]]; then
     echo "secret source missing or empty: ${source_path}" >&2
     return 1
   fi
+  agenix_path="$(burrow_secret_repo_path "${repo_root}" "${secret_path}")"
+  identity_path="$(burrow_agenix_identity_path "${repo_root}")"
 
-  SECRET_SOURCE_FILE="${source_path}" \
-    EDITOR="${repo_root}/Scripts/agenix-load-file.sh" \
-    nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -e "${secret_path}"
+  if [[ -n "${identity_path}" ]]; then
+    SECRET_SOURCE_FILE="${source_path}" \
+      EDITOR="${repo_root}/Scripts/agenix-load-file.sh" \
+      nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -e "${agenix_path}" -i "${identity_path}"
+  else
+    SECRET_SOURCE_FILE="${source_path}" \
+      EDITOR="${repo_root}/Scripts/agenix-load-file.sh" \
+      nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -e "${agenix_path}"
+  fi
 }