diff --git a/pkgs/tools/security/sequoia-tool/default.nix b/pkgs/tools/security/sequoia-tool/default.nix
deleted file mode 100644
index 00472c1a3aa..00000000000
--- a/pkgs/tools/security/sequoia-tool/default.nix
+++ /dev/null
@@ -1,32 +0,0 @@
-{ stdenv, fetchFromGitLab, rustPlatform, darwin
-, pkgconfig, capnproto, clang, libclang, nettle, openssl, sqlite }:
-
-rustPlatform.buildRustPackage rec {
-  pname = "sequoia-tool";
-  version = "0.9.0";
-
-  src = fetchFromGitLab {
-    owner = "sequoia-pgp";
-    repo = "sequoia";
-    rev = "v${version}";
-    sha256 = "13dzwdzz33dy2lgnznsv8wqnw2501f2ggrkfwpqy5x6d1kgms8rj";
-  };
-
-  nativeBuildInputs = [ pkgconfig clang libclang ];
-  buildInputs = [ capnproto nettle openssl sqlite ]
-    ++ stdenv.lib.optionals stdenv.isDarwin [ darwin.apple_sdk.frameworks.Security ];
-
-  LIBCLANG_PATH = libclang + "/lib";
-
-  cargoBuildFlags = [ "--package=sequoia-tool" ];
-
-  cargoSha256 = "1zcnkpzcar3a2fk2rn3i3nb70b59ds9fpfa44f15r3aaxajsdhdi";
-
-  meta = with stdenv.lib; {
-    description = "A command-line frontend for Sequoia, an implementation of OpenPGP";
-    homepage = https://sequoia-pgp.org/;
-    license = licenses.gpl3;
-    maintainers = with maintainers; [ minijackson ];
-    platforms = platforms.all;
-  };
-}
diff --git a/pkgs/tools/security/sequoia/default.nix b/pkgs/tools/security/sequoia/default.nix
new file mode 100644
index 00000000000..5d9ffca6937
--- /dev/null
+++ b/pkgs/tools/security/sequoia/default.nix
@@ -0,0 +1,91 @@
+{ stdenv, fetchFromGitLab, lib, darwin
+, git, nettle, llvmPackages, cargo, rustc
+, rustPlatform, pkgconfig, glib
+, openssl, sqlite, capnproto
+, ensureNewerSourcesForZipFilesHook, pythonSupport ? true, pythonPackages ? null
+}:
+
+assert pythonSupport -> pythonPackages != null;
+
+rustPlatform.buildRustPackage rec {
+  pname = "sequoia";
+  version = "0.9.0";
+
+  src = fetchFromGitLab {
+    owner = "sequoia-pgp";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "13dzwdzz33dy2lgnznsv8wqnw2501f2ggrkfwpqy5x6d1kgms8rj";
+  };
+
+  cargoSha256 = "1zcnkpzcar3a2fk2rn3i3nb70b59ds9fpfa44f15r3aaxajsdhdi";
+
+  nativeBuildInputs = [
+    pkgconfig
+    cargo
+    rustc
+    git
+    llvmPackages.libclang
+    llvmPackages.clang
+    ensureNewerSourcesForZipFilesHook
+  ] ++
+    lib.optionals pythonSupport [ pythonPackages.setuptools ]
+  ;
+
+  checkInputs = lib.optionals pythonSupport [
+    pythonPackages.pytest
+    pythonPackages.pytestrunner
+  ];
+
+  buildInputs = [
+    openssl
+    sqlite
+    nettle
+    capnproto
+  ]
+    ++ lib.optionals pythonSupport [ pythonPackages.python pythonPackages.cffi ]
+    ++ lib.optionals stdenv.isDarwin [ darwin.apple_sdk.frameworks.Security ]
+  ;
+
+  makeFlags = [
+    "PREFIX=${placeholder ''out''}"
+  ];
+
+  buildFlags = [
+    "build-release"
+  ];
+
+  LIBCLANG_PATH = "${llvmPackages.libclang}/lib";
+
+  postPatch = ''
+    # otherwise, the check fails because we delete the `.git` in the unpack phase
+    substituteInPlace openpgp-ffi/Makefile \
+      --replace 'git grep' 'grep -R'
+    # Without this, the check fails
+    substituteInPlace openpgp-ffi/examples/Makefile \
+      --replace '-O0 -g -Wall -Werror' '-g'
+    substituteInPlace ffi/examples/Makefile \
+      --replace '-O0 -g -Wall -Werror' '-g'
+  '';
+
+  preInstall = lib.optionalString pythonSupport ''
+    export installFlags="PYTHONPATH=$PYTHONPATH:$out/${pythonPackages.python.sitePackages}"
+  '' + lib.optionalString (!pythonSupport) ''
+    export installFlags="PYTHON=disable"
+  '';
+
+  # Don't use buildRustPackage phases, only use it for rust deps setup
+  configurePhase = null;
+  buildPhase = null;
+  doCheck = true;
+  checkPhase = null;
+  installPhase = null;
+
+  meta = with stdenv.lib; {
+    description = "A cool new OpenPGP implementation";
+    homepage = "https://sequoia-pgp.org/";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ minijackson doronbehar ];
+    platforms = platforms.all;
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 76134f57e3b..669aaf0f2a3 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -5953,7 +5953,9 @@ in
 
   seqdiag = with python3Packages; toPythonApplication seqdiag;
 
-  sequoia-tool = callPackage ../tools/security/sequoia-tool { inherit (llvmPackages) libclang; };
+  sequoia = callPackage ../tools/security/sequoia {
+    pythonPackages = python3Packages;
+  };
 
   sewer = callPackage ../tools/admin/sewer { };
 
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 43fb2661f5c..eada8bf669e 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -4705,6 +4705,11 @@ in {
 
   seqdiag = callPackage ../development/python-modules/seqdiag { };
 
+  sequoia = disabledIf (isPyPy || !isPy3k) (toPythonModule (pkgs.sequoia.override {
+    pythonPackages = self;
+    pythonSupport = true;
+  }));
+
   safe = callPackage ../development/python-modules/safe { };
 
   sampledata = callPackage ../development/python-modules/sampledata { };