diff --git a/Cargo.lock b/Cargo.lock
index fb8b4f5c..5d38b92a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1276,6 +1276,7 @@ dependencies = [
  "http",
  "hyper",
  "lazy_static",
+ "mktemp",
  "netapp",
  "opentelemetry",
  "rand 0.8.5",
diff --git a/Cargo.nix b/Cargo.nix
index 79601cdd..9ee5b9fb 100644
--- a/Cargo.nix
+++ b/Cargo.nix
@@ -32,7 +32,7 @@ args@{
   ignoreLockHash,
 }:
 let
-  nixifiedLockHash = "b6aeefc112eb232904b24398f4e5da776c8ee2c13d427a26dbdf1732205d4fc9";
+  nixifiedLockHash = "8461dcfb984a8d042fecb5745d5da17912135dbf2a8ef7e6c3ae8e64c03d9744";
   workspaceSrc = if args.workspaceSrc == null then ./. else args.workspaceSrc;
   currentLockHash = builtins.hashFile "sha256" (workspaceSrc + /Cargo.lock);
   lockHashIgnored = if ignoreLockHash
@@ -1820,6 +1820,9 @@ in
       tracing = (rustPackages."registry+https://github.com/rust-lang/crates.io-index".tracing."0.1.32" { inherit profileName; }).out;
       xxhash_rust = (rustPackages."registry+https://github.com/rust-lang/crates.io-index".xxhash-rust."0.8.4" { inherit profileName; }).out;
     };
+    devDependencies = {
+      mktemp = (rustPackages."registry+https://github.com/rust-lang/crates.io-index".mktemp."0.4.1" { inherit profileName; }).out;
+    };
   });
   
   "unknown".garage_web."0.8.1" = overridableMkRustCrate (profileName: rec {
diff --git a/flake.nix b/flake.nix
index 85a500ce..c1d772bb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -30,7 +30,7 @@
           cargo2nixOverlay = cargo2nix.overlays.default;
           release = false;
         }).workspaceShell {
-          packages = [ pkgs.rustfmt ];
+          packages = [ pkgs.rustfmt cargo2nix.packages.${system}.default ];
         });
       });
 }
diff --git a/src/util/Cargo.toml b/src/util/Cargo.toml
index 32e9c851..1017b1ce 100644
--- a/src/util/Cargo.toml
+++ b/src/util/Cargo.toml
@@ -47,6 +47,8 @@ hyper = "0.14"
 
 opentelemetry = { version = "0.17", features = [ "rt-tokio", "metrics", "trace" ] }
 
+[dev-dependencies]
+mktemp = "0.4"
 
 [features]
 k2v = []
diff --git a/src/util/config.rs b/src/util/config.rs
index 5471fc41..f0a881aa 100644
--- a/src/util/config.rs
+++ b/src/util/config.rs
@@ -261,3 +261,123 @@ where
 
 	deserializer.deserialize_any(OptionVisitor)
 }
+
+#[cfg(test)]
+mod tests {
+	use crate::error::Error;
+	use std::fs::File;
+	use std::io::Write;
+
+	#[test]
+	fn test_rpc_secret_is_required() -> Result<(), Error> {
+		let path1 = mktemp::Temp::new_file()?;
+		let mut file1 = File::create(path1.as_path())?;
+		writeln!(
+			file1,
+			r#"
+			metadata_dir = "/tmp/garage/meta"
+			data_dir = "/tmp/garage/data"
+			replication_mode = "3"
+			rpc_bind_addr = "[::]:3901"
+		
+			[s3_api]
+			s3_region = "garage"
+			api_bind_addr = "[::]:3900"
+			"#
+		)?;
+		assert_eq!(
+			"either `rpc_secret` or `rpc_secret_file` needs to be set",
+			super::read_config(path1.to_path_buf())
+				.unwrap_err()
+				.to_string()
+		);
+		drop(path1);
+		drop(file1);
+
+		let path2 = mktemp::Temp::new_file()?;
+		let mut file2 = File::create(path2.as_path())?;
+		writeln!(
+			file2,
+			r#"
+			metadata_dir = "/tmp/garage/meta"
+			data_dir = "/tmp/garage/data"
+			replication_mode = "3"
+			rpc_bind_addr = "[::]:3901"
+			rpc_secret = "foo"
+
+			[s3_api]
+			s3_region = "garage"
+			api_bind_addr = "[::]:3900"
+			"#
+		)?;
+
+		let config = super::read_config(path2.to_path_buf())?;
+		assert_eq!("foo", config.rpc_secret.unwrap());
+		drop(path2);
+		drop(file2);
+
+		Ok(())
+	}
+
+	#[test]
+	fn test_rpc_secret_file_works() -> Result<(), Error> {
+		let path_secret = mktemp::Temp::new_file()?;
+		let mut file_secret = File::create(path_secret.as_path())?;
+		writeln!(file_secret, "foo")?;
+		drop(file_secret);
+
+		let path_config = mktemp::Temp::new_file()?;
+		let mut file_config = File::create(path_config.as_path())?;
+		let path_secret_path = path_secret.as_path().display();
+		writeln!(
+			file_config,
+			r#"
+			metadata_dir = "/tmp/garage/meta"
+			data_dir = "/tmp/garage/data"
+			replication_mode = "3"
+			rpc_bind_addr = "[::]:3901"
+			rpc_secret_file = "{path_secret_path}"
+		
+			[s3_api]
+			s3_region = "garage"
+			api_bind_addr = "[::]:3900"
+			"#
+		)?;
+		let config = super::read_config(path_config.to_path_buf())?;
+		assert_eq!("foo", config.rpc_secret.unwrap());
+		drop(path_config);
+		drop(path_secret);
+		drop(file_config);
+		Ok(())
+	}
+
+	#[test]
+	fn test_rcp_secret_and_rpc_secret_file_cannot_be_set_both() -> Result<(), Error> {
+		let path_config = mktemp::Temp::new_file()?;
+		let mut file_config = File::create(path_config.as_path())?;
+		writeln!(
+			file_config,
+			r#"
+			metadata_dir = "/tmp/garage/meta"
+			data_dir = "/tmp/garage/data"
+			replication_mode = "3"
+			rpc_bind_addr = "[::]:3901"
+			rpc_secret= "dummy"
+			rpc_secret_file = "dummy"
+		
+			[s3_api]
+			s3_region = "garage"
+			api_bind_addr = "[::]:3900"
+			"#
+		)?;
+		assert_eq!(
+			"only one of `rpc_secret` and `rpc_secret_file` can be set",
+			super::read_config(path_config.to_path_buf())
+				.unwrap_err()
+				.to_string()
+		);
+		drop(path_config);
+		drop(file_config);
+		Ok(())
+	}
+}