diff --git a/pkgs/clan-cli/clan_cli/secrets/check.py b/pkgs/clan-cli/clan_cli/secrets/check.py
index ea348548e..5c51d28a4 100644
--- a/pkgs/clan-cli/clan_cli/secrets/check.py
+++ b/pkgs/clan-cli/clan_cli/secrets/check.py
@@ -7,7 +7,7 @@ from ..machines.machines import Machine
 log = logging.getLogger(__name__)
 
 
-def check_secrets(machine: Machine) -> bool:
+def check_secrets(machine: Machine, service: None | str = None) -> bool:
     secrets_module = importlib.import_module(machine.secrets_module)
     secret_store = secrets_module.SecretStore(machine=machine)
     facts_module = importlib.import_module(machine.facts_module)
@@ -15,7 +15,11 @@ def check_secrets(machine: Machine) -> bool:
 
     missing_secrets = []
     missing_facts = []
-    for service in machine.secrets_data:
+    if service:
+        services = [service]
+    else:
+        services = list(machine.secrets_data.keys())
+    for service in services:
         for secret in machine.secrets_data[service]["secrets"]:
             if isinstance(secret, str):
                 secret_name = secret
@@ -38,8 +42,11 @@ def check_secrets(machine: Machine) -> bool:
 
 
 def check_command(args: argparse.Namespace) -> None:
-    machine = Machine(name=args.machine, flake=args.flake)
-    check_secrets(machine)
+    machine = Machine(
+        name=args.machine,
+        flake=args.flake,
+    )
+    check_secrets(machine, service=args.service)
 
 
 def register_check_parser(parser: argparse.ArgumentParser) -> None:
@@ -47,4 +54,8 @@ def register_check_parser(parser: argparse.ArgumentParser) -> None:
         "machine",
         help="The machine to check secrets for",
     )
+    parser.add_argument(
+        "--service",
+        help="the service to check",
+    )
     parser.set_defaults(func=check_command)
diff --git a/pkgs/clan-cli/clan_cli/secrets/generate.py b/pkgs/clan-cli/clan_cli/secrets/generate.py
index e478d459c..16527b89c 100644
--- a/pkgs/clan-cli/clan_cli/secrets/generate.py
+++ b/pkgs/clan-cli/clan_cli/secrets/generate.py
@@ -29,7 +29,7 @@ def generate_service_secrets(
 ) -> None:
     service_dir = tmpdir / service
     # check if all secrets exist and generate them if at least one is missing
-    needs_regeneration = not check_secrets(machine)
+    needs_regeneration = not check_secrets(machine, service=service)
     log.debug(f"{service} needs_regeneration: {needs_regeneration}")
     if needs_regeneration:
         if not isinstance(machine.flake, Path):