diff --git a/pkgs/clan-cli/clan_cli/secrets/secrets.py b/pkgs/clan-cli/clan_cli/secrets/secrets.py
index 89925755c..27378e9fa 100644
--- a/pkgs/clan-cli/clan_cli/secrets/secrets.py
+++ b/pkgs/clan-cli/clan_cli/secrets/secrets.py
@@ -212,7 +212,13 @@ def set_command(args: argparse.Namespace) -> None:
 
 
 def rename_command(args: argparse.Namespace) -> None:
-    pass
+    old_path = sops_secrets_folder() / args.secret
+    new_path = sops_secrets_folder() / args.new_name
+    if not old_path.exists():
+        raise ClanError(f"Secret '{args.secret}' does not exist")
+    if new_path.exists():
+        raise ClanError(f"Secret '{args.new_name}' already exists")
+    os.rename(old_path, new_path)
 
 
 def register_secrets_parser(subparser: argparse._SubParsersAction) -> None:
@@ -250,9 +256,7 @@ def register_secrets_parser(subparser: argparse._SubParsersAction) -> None:
 
     parser_rename = subparser.add_parser("rename", help="rename a secret")
     add_secret_argument(parser_rename)
-    parser_rename.add_argument(
-        "new_name", help="the new name of the secret", type=secret_name_type
-    )
+    parser_rename.add_argument("new_name", type=str, help="the new name of the secret")
     parser_rename.set_defaults(func=rename_command)
 
     parser_remove = subparser.add_parser("remove", help="remove a secret")
diff --git a/pkgs/clan-cli/tests/test_secrets_cli.py b/pkgs/clan-cli/tests/test_secrets_cli.py
index ccdffd799..80bf1e752 100644
--- a/pkgs/clan-cli/tests/test_secrets_cli.py
+++ b/pkgs/clan-cli/tests/test_secrets_cli.py
@@ -129,9 +129,9 @@ def test_secrets(
 
     with pytest.raises(ClanError):  # does not exist yet
         cli.run(["secrets", "get", "nonexisting"])
-    cli.run(["secrets", "set", "key"])
+    cli.run(["secrets", "set", "initialkey"])
     capsys.readouterr()
-    cli.run(["secrets", "get", "key"])
+    cli.run(["secrets", "get", "initialkey"])
     assert capsys.readouterr().out == "foo"
     capsys.readouterr()
     cli.run(["secrets", "users", "list"])
@@ -139,6 +139,8 @@ def test_secrets(
     assert len(users) == 1, f"users: {users}"
     owner = users[0]
 
+    cli.run(["secrets", "rename", "initialkey", "key"])
+
     capsys.readouterr()  # empty the buffer
     cli.run(["secrets", "list"])
     assert capsys.readouterr().out == "key\n"