diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
index 6c0af39ecda9f3717aba3c9f49a07449d825f429..a7d60538c2150fe22f1fe3e05b67794cf2a94283 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -430,6 +430,21 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para>
   </varlistentry>
 
 
+  <varlistentry><term><literal>netrc-file</literal></term>
+
+    <listitem><para>If set to an absolute path to a <filename>netrc</filename>
+    file, Nix will use the HTTP authentication credentials in this file when
+    trying to download from a remote host through HTTP or HTTPS. Defaults to
+    <filename>$NIX_CONF_DIR/netrc</filename>.</para>
+
+    <para>The <filename>netrc</filename> file consists of zero or more lines
+    like: <literal>machine <replaceable>my-machine</replaceable> login
+    <replaceable>my-username</replaceable> password
+    <replaceable>my-password</replaceable></literal>.</para></listitem>
+
+  </varlistentry>
+
+
   <varlistentry><term><literal>system</literal></term>
 
     <listitem><para>This option specifies the canonical Nix system
diff --git a/src/libstore/download.cc b/src/libstore/download.cc
index 074e0ca6642aea7c061e4c5419ac3bf14ff8e2fe..8f2387b63253e6a30699e91a5f6b86b465a0b412 100644
--- a/src/libstore/download.cc
+++ b/src/libstore/download.cc
@@ -230,6 +230,11 @@ struct CurlDownloader : public Downloader
                 curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);
             }
 
+            Path netrcFile = settings.get("netrc-file",
+               (format("%1%/%2%") % settings.nixConfDir % "netrc").str());
+            curl_easy_setopt(req, CURLOPT_NETRC_FILE, netrcFile.c_str());
+            curl_easy_setopt(req, CURLOPT_NETRC, CURL_NETRC_OPTIONAL);
+
             result.data = std::make_shared<std::string>();
         }