diff --git a/pkgs/clan-cli/tests/data/gnupg-home/openpgp-revocs.d/9A9B2741C8062D3D3DF1302D8B049E262A5CA255.rev b/pkgs/clan-cli/tests/data/gnupg-home/openpgp-revocs.d/9A9B2741C8062D3D3DF1302D8B049E262A5CA255.rev
new file mode 100644
index 000000000..c084ed320
--- /dev/null
+++ b/pkgs/clan-cli/tests/data/gnupg-home/openpgp-revocs.d/9A9B2741C8062D3D3DF1302D8B049E262A5CA255.rev
@@ -0,0 +1,29 @@
+This is a revocation certificate for the OpenPGP key:
+
+pub   rsa1024 2024-09-29 [SCEAR]
+      9A9B2741C8062D3D3DF1302D8B049E262A5CA255
+uid          Root Superuser <test@local>
+
+A revocation certificate is a kind of "kill switch" to publicly
+declare that a key shall not anymore be used.  It is not possible
+to retract such a revocation certificate once it has been published.
+
+Use it to revoke this key in case of a compromise or loss of
+the secret key.  However, if the secret key is still accessible,
+it is better to generate a new revocation certificate and give
+a reason for the revocation.  For details see the description of
+of the gpg command "--generate-revocation" in the GnuPG manual.
+
+To avoid an accidental use of this file, a colon has been inserted
+before the 5 dashes below.  Remove this colon with a text editor
+before importing and publishing this revocation certificate.
+
+:-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: This is a revocation certificate
+
+iLYEIAEIACAWIQSamydByAYtPT3xMC2LBJ4mKlyiVQUCZvl/cAIdAAAKCRCLBJ4m
+KlyiVUWOA/9rDw6tSSw7Gh3vlaLZXSQvkftO3x9cJwePn6JPmM2nWLDcaOj+/Cd0
+guyakYt7Fsxa6fqcv5sYV50bPRqAnfOWbR7jRl4DF6pSYNCHPlkWuLghdYsBOBo2
+1MG/J+155aclsB8JQez1eGMe8KcpcJBcrYuZTAMekMGPrfyr9SwDUg==
+=V2Jo
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/pkgs/clan-cli/tests/data/gnupg-home/private-keys-v1.d/893F0D3827CC473BAEFE4A6B3E910245CD2CCFF9.key b/pkgs/clan-cli/tests/data/gnupg-home/private-keys-v1.d/893F0D3827CC473BAEFE4A6B3E910245CD2CCFF9.key
new file mode 100644
index 000000000..a0873e873
--- /dev/null
+++ b/pkgs/clan-cli/tests/data/gnupg-home/private-keys-v1.d/893F0D3827CC473BAEFE4A6B3E910245CD2CCFF9.key
@@ -0,0 +1,15 @@
+Created: 20240929T162520
+Key: (private-key (rsa (n #00B1BF3E8A8CEA6A68439F67CDCAF5616B50D99A9F88
+ 6D9E879D3FE990854E9ADFC35D7D26DBC5BC1800B3FF7B814F4623C1DFC34CAB4D326C
+ 3E269C6059D567B5144659B3C895B52B428BA7B74CC2FA130D06C689C45B8FF8DA1D7C
+ 7A578C99C0F221189D6BE045AE2EC8D2389423994BA0D650A2EDD2B7664642BFBF9691
+ 495F#)(e #010001#)(d #57605C65AE94F39EF293136BB23842DE06DE19A90FDF573D
+ 723B3F5D5872C626767AE831687B0116498E326AABABE51E61C9564FC3ABCCBC322737
+ DB137E191EB3B012B9C142290050EBD8ADD40BC68CCB577521E3A76DFD668BC6E584C7
+ 0DD3B6CE545CC392B1D893EFB959BE3BD0EB7DF73A1F7AFBD9693353BA4FD3C05AED#)
+ (p #00C169E9E1DF8F39E7B2140FD52723FC5D10CCFC62D8A0876D39641AB00441345C
+ FC239EF8551B5F39CE850EF2DD79B98D70D57AD933648C86B7DD536B1B3AD6CB#)(q
+  #00EB43872BDDA397AC02A32E7CB0061ACB26A30497031D24FA793DE9EE4EFBACB1A4
+ 6BF1444DE47CB63A6E254F2E4928BB0BB1F5C51C5247EEA8FF2D84BE25F13D#)(u
+  #00CEBE9717B5F7B59393065F884ACCA692F64545F492E50DF9070ACA9FBDA8A1EC03
+ 906FDB9C112A97FADBB273E69548C6B17E6BE3BB664B9D02FB2100EF19AF7D#)))
diff --git a/pkgs/clan-cli/tests/data/gnupg-home/pubring.kbx b/pkgs/clan-cli/tests/data/gnupg-home/pubring.kbx
new file mode 100644
index 000000000..b07f082d4
Binary files /dev/null and b/pkgs/clan-cli/tests/data/gnupg-home/pubring.kbx differ
diff --git a/pkgs/clan-cli/tests/data/gnupg-home/random_seed b/pkgs/clan-cli/tests/data/gnupg-home/random_seed
new file mode 100644
index 000000000..2f4c89c23
Binary files /dev/null and b/pkgs/clan-cli/tests/data/gnupg-home/random_seed differ
diff --git a/pkgs/clan-cli/tests/data/gnupg-home/trustdb.gpg b/pkgs/clan-cli/tests/data/gnupg-home/trustdb.gpg
new file mode 100644
index 000000000..973814c8e
Binary files /dev/null and b/pkgs/clan-cli/tests/data/gnupg-home/trustdb.gpg differ
diff --git a/pkgs/clan-cli/tests/data/gnupg.conf b/pkgs/clan-cli/tests/data/gnupg.conf
new file mode 100644
index 000000000..eaa6ec764
--- /dev/null
+++ b/pkgs/clan-cli/tests/data/gnupg.conf
@@ -0,0 +1,6 @@
+Key-Type: 1
+Key-Length: 1024
+Name-Real: Root Superuser
+Name-Email: test@local
+Expire-Date: 0
+%no-protection
diff --git a/pkgs/clan-cli/tests/data/password-store/.gpg-id b/pkgs/clan-cli/tests/data/password-store/.gpg-id
new file mode 100644
index 000000000..f4fc704e0
--- /dev/null
+++ b/pkgs/clan-cli/tests/data/password-store/.gpg-id
@@ -0,0 +1 @@
+test@local
diff --git a/pkgs/clan-cli/tests/test_vars.py b/pkgs/clan-cli/tests/test_vars.py
index a2fdfc1ef..46d80c448 100644
--- a/pkgs/clan-cli/tests/test_vars.py
+++ b/pkgs/clan-cli/tests/test_vars.py
@@ -1,5 +1,5 @@
 import json
-import subprocess
+import shutil
 from dataclasses import dataclass
 from io import StringIO
 from pathlib import Path
@@ -9,7 +9,7 @@ from age_keys import SopsSetup
 from clan_cli.clan_uri import FlakeId
 from clan_cli.errors import ClanError
 from clan_cli.machines.machines import Machine
-from clan_cli.nix import nix_eval, nix_shell, run
+from clan_cli.nix import nix_eval, run
 from clan_cli.vars.check import check_vars
 from clan_cli.vars.generate import generate_vars_for_machine
 from clan_cli.vars.list import stringify_all_vars
@@ -238,6 +238,7 @@ def test_generated_shared_secret_sops(
 def test_generate_secret_var_password_store(
     monkeypatch: pytest.MonkeyPatch,
     temporary_home: Path,
+    test_root: Path,
 ) -> None:
     config = nested_dict()
     config["nixpkgs"]["hostPlatform"] = "x86_64-linux"
@@ -258,29 +259,13 @@ def test_generate_secret_var_password_store(
     )
     monkeypatch.chdir(flake.path)
     gnupghome = temporary_home / "gpg"
-    gnupghome.mkdir(mode=0o700)
+    shutil.copytree(test_root / "data" / "gnupg-home", gnupghome)
     monkeypatch.setenv("GNUPGHOME", str(gnupghome))
+
+    password_store_dir = temporary_home / "pass"
+    shutil.copytree(test_root / "data" / "password-store", password_store_dir)
     monkeypatch.setenv("PASSWORD_STORE_DIR", str(temporary_home / "pass"))
-    gpg_key_spec = temporary_home / "gpg_key_spec"
-    gpg_key_spec.write_text(
-        """
-        Key-Type: 1
-        Key-Length: 1024
-        Name-Real: Root Superuser
-        Name-Email: test@local
-        Expire-Date: 0
-        %no-protection
-    """
-    )
-    subprocess.run(
-        nix_shell(
-            ["nixpkgs#gnupg"], ["gpg", "--batch", "--gen-key", str(gpg_key_spec)]
-        ),
-        check=True,
-    )
-    subprocess.run(
-        nix_shell(["nixpkgs#pass"], ["pass", "init", "test@local"]), check=True
-    )
+
     machine = Machine(name="my_machine", flake=FlakeId(str(flake.path)))
     assert not check_vars(machine)
     cli.run(["vars", "generate", "--flake", str(flake.path), "my_machine"])