diff --git a/NEWS b/NEWS
index 4b576e88d4..0d7c77835a 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,11 @@
 systemd System and Service Manager
 
+CHANGES WITH 259 in spe:
+
+        * homectl's --recovery-key= option may now be used with the "update"
+          command to add recovery keys to existing user accounts. Previously,
+          recovery keys could only be configured during initial user creation.
+
 CHANGES WITH 258:
 
         Incompatible changes:
diff --git a/man/homectl.xml b/man/homectl.xml
index cf5b878e7a..36b3bbfe9c 100644
--- a/man/homectl.xml
+++ b/man/homectl.xml
@@ -1584,6 +1584,13 @@ homectl update lafcadio --pkcs11-token-uri=auto</programlisting>
       <programlisting># Allow a FIDO2 security token to unlock the account of user 'nihilbaxter'.
 homectl update nihilbaxter --fido2-device=auto</programlisting>
     </example>
+
+    <example>
+      <title>Add a recovery key to an existing user account:</title>
+
+      <programlisting># Generate and add a recovery key for user 'emily'.
+homectl update emily --recovery-key=yes</programlisting>
+    </example>
   </refsect1>
 
   <refsect1>
diff --git a/src/home/homectl.c b/src/home/homectl.c
index 329572fb34..c50302fb74 100644
--- a/src/home/homectl.c
+++ b/src/home/homectl.c
@@ -1829,9 +1829,15 @@ static int acquire_updated_home_record(
                         return r;
         }
 
+        if (arg_recovery_key) {
+                r = identity_add_recovery_key(&json);
+                if (r < 0)
+                        return r;
+        }
+
         /* If the user supplied a full record, then add in lastChange, but do not override. Otherwise always
          * override. */
-        r = update_last_change(&json, arg_pkcs11_token_uri || arg_fido2_device, !arg_identity);
+        r = update_last_change(&json, arg_pkcs11_token_uri || arg_fido2_device || arg_recovery_key, !arg_identity);
         if (r < 0)
                 return r;