diff --git a/checks/nixos-test.nix b/checks/nixos-test.nix
index 7a113fc..2512d25 100644
--- a/checks/nixos-test.nix
+++ b/checks/nixos-test.nix
@@ -198,6 +198,57 @@ in
     '';
   };
 
+  # This test should be altered or removed if `age-keygen` switches its default to match the post-quantum `-pq` behavior.
+  age-extra-generate-key-args = testers.runNixOSTest {
+    name = "age-generate-key-args";
+    nodes.machine =
+      { ... }:
+      {
+        imports = [ ../modules/sops ];
+        sops = {
+          age = {
+            keyFile = "/run/age-keys-args.txt";
+            generateKey = true;
+            extraGenerateKeyArgs = [ "-pq" ];
+          };
+          defaultSopsFile = testAssets + "/secrets.yaml";
+          secrets.test_key = { };
+        };
+      };
+
+    testScript = ''
+      start_all()
+      machine.succeed("cat /run/age-keys-args.txt | grep -q AGE-SECRET-KEY-PQ-")
+    '';
+  };
+
+  age-extra-generate-key-args-override-keyfile = testers.runNixOSTest {
+    name = "age-generate-key-args-override-keyfile";
+    nodes.machine =
+      { ... }:
+      {
+        imports = [ ../modules/sops ];
+        sops = {
+          age = {
+            keyFile = "/run/age-keys-args-fail.txt";
+            generateKey = true;
+            extraGenerateKeyArgs = [
+              "-o"
+              "/run/age-keys-args-succeed.txt"
+            ];
+          };
+          defaultSopsFile = testAssets + "/secrets.yaml";
+          secrets.test_key = { };
+        };
+      };
+
+    testScript = ''
+      start_all()
+      machine.fail("find /run/age-keys-args-fail.txt")
+      machine.succeed("find /run/age-keys-args-succeed.txt")
+    '';
+  };
+
   age-ssh-keys = testers.runNixOSTest {
     name = "sops-age-ssh-keys";
     nodes.machine = {
diff --git a/modules/sops/default.nix b/modules/sops/default.nix
index 9f19ab6..86819d4 100644
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@@ -361,6 +361,15 @@ in
         '';
       };
 
+      extraGenerateKeyArgs = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+        example = [ "-pq" ];
+        description = ''
+          List of arguments to use when generating the age key.
+        '';
+      };
+
       sshKeyPaths = lib.mkOption {
         type = lib.types.listOf lib.types.path;
         default = defaultImportKeys "ed25519";
@@ -511,7 +520,7 @@ in
                 echo generating machine-specific age key...
                 mkdir -p $(dirname ${escapedKeyFile})
                 # age-keygen sets 0600 by default, no need to chmod.
-                ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile}
+                ${pkgs.age}/bin/age-keygen -o ${escapedKeyFile} ${lib.join " " cfg.age.extraGenerateKeyArgs}
               fi
             ''
           );