--- a/cmds/fleet/src/cmds/secrets/mod.rs
+++ b/cmds/fleet/src/cmds/secrets/mod.rs
@@ -288,6 +288,8 @@
 		created_at,
 		expires_at,
 		parts,
+		// TODO: Fill with expected
+		generation_data: serde_json::Value::Null,
 	})
 }
 async fn generate(
@@ -507,6 +509,7 @@
 							created_at: Utc::now(),
 							expires_at,
 							parts,
+							generation_data: serde_json::Value::Null,
 						},
 					},
 				);
@@ -534,6 +537,7 @@
 						created_at: Utc::now(),
 						expires_at: None,
 						parts: BTreeMap::new(),
+						generation_data: serde_json::Value::Null,
 					}
 				};
 
--- a/crates/fleet-base/src/fleetdata.rs
+++ b/crates/fleet-base/src/fleetdata.rs
@@ -117,4 +117,8 @@
 
 	#[serde(flatten)]
 	pub parts: BTreeMap<String, FleetSecretPart>,
+
+	#[serde(default)]
+	#[serde(skip_serializing_if = "Value::is_null")]
+	pub generation_data: Value,
 }
--- a/crates/nix-eval/src/macros.rs
+++ b/crates/nix-eval/src/macros.rs
@@ -7,7 +7,7 @@
 	pub(crate) out: String,
 	used_fields: Vec<Value>,
 }
-trait AttrSetValue {
+pub trait AttrSetValue {
 	fn to_builder(self) -> NixExprBuilder;
 }
 trait Primitive {}
--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -41,6 +41,17 @@
           type = str;
           description = "Secret public data (only available for plaintext)";
         };
+
+        expectedGenerationData = mkOption {
+          type = unspecified;
+          description = "Data that gets embedded into secret part";
+          default = null;
+        };
+        generationData = mkOption {
+          type = unspecified;
+          description = "Data that is embedded into secret part";
+          default = null;
+        };
       };
       config = {
         hash = hashString "sha1" config.raw;