--- a/src/cmds/fetch_keys.rs
+++ /dev/null
@@ -1,43 +0,0 @@
-use crate::host::FleetOpts;
-use anyhow::Result;
-use clap::Clap;
-use log::{info, warn};
-
-#[derive(Clap)]
-pub struct FetchKeys {
-	#[clap(flatten)]
-	fleet_opts: FleetOpts,
-
-	/// If true - remove orphaned keys
-	#[clap(long)]
-	cleanup: bool,
-}
-
-impl FetchKeys {
-	pub fn run(self) -> Result<()> {
-		let fleet = self.fleet_opts.build()?;
-		let hosts = fleet.list_hosts()?;
-		for host in hosts.iter() {
-			if host.skip() {
-				warn!("Skipped host {}", host.hostname);
-				continue;
-			}
-			host.key()?;
-		}
-		let orphans: Vec<_> = fleet.list_orphaned_keys()?;
-		if !orphans.is_empty() {
-			if self.cleanup {
-				info!("Removed orphan host keys:");
-			} else {
-				info!("Orphan host keys found, run with --cleanup to remove them from db:");
-			}
-			for (name, path) in orphans {
-				info!("- {}", name);
-				if self.cleanup {
-					std::fs::remove_file(path)?;
-				}
-			}
-		}
-		Ok(())
-	}
-}
--- /dev/null
+++ b/src/cmds/secrets/mod.rs
@@ -0,0 +1,51 @@
+use std::io::Write;
+
+use anyhow::Result;
+use clap::Clap;
+
+use crate::host::Config;
+
+#[derive(Clap)]
+pub enum Secrets {
+	/// Force load keys for all defined hosts
+	ForceKeys,
+	/// Add secret, data should be provided in stdin
+	Add {
+		/// Secret owner
+		machine: String,
+		/// Secret name
+		name: String,
+	},
+}
+
+impl Secrets {
+	pub fn run(self, config: &Config) -> Result<()> {
+		match self {
+			Secrets::ForceKeys => {
+				for host in config.list_hosts()? {
+					if config.should_skip(&host) {
+						continue;
+					}
+					config.key(&host)?;
+				}
+			}
+			Secrets::Add { machine, name } => {
+				let recipient = config.recipient(&machine)?;
+				let encryptor = age::Encryptor::with_recipients(vec![Box::new(recipient)]);
+
+				let mut encrypted = vec![];
+				{
+					let mut w = encryptor.wrap_output(&mut encrypted)?;
+
+					let stdin = std::io::stdin();
+					let mut lock = stdin.lock();
+					std::io::copy(&mut lock, &mut w)?;
+					w.flush()?;
+				}
+
+				config.update_secret(&machine, &name, &encrypted)
+			}
+		}
+		Ok(())
+	}
+}
--- a/src/main.rs
+++ b/src/main.rs
@@ -15,12 +15,12 @@
 #[derive(Clap)]
 #[clap(version = "1.0", author = "CertainLach <iam@lach.pw>")]
 enum Opts {
-	/// Fetch encryption (ssh) public keys from remote hosts
-	FetchKeys(FetchKeys),
 	/// Force generation of missing secrets
 	GenerateSecrets(GenerateSecrets),
 	/// Prepare systems for deployments
 	BuildSystems(BuildSystems),
+	/// Secret management
+	Secrets(Secrets),
 }
 
 fn main() -> Result<()> {