diff --git a/pkgs/tools/security/bao/default.nix b/pkgs/tools/security/bao/default.nix
new file mode 100644
index 000000000000..cf6014c84fe9
--- /dev/null
+++ b/pkgs/tools/security/bao/default.nix
@@ -0,0 +1,25 @@
+{ lib
+, fetchCrate
+, fetchpatch
+, rustPlatform
+}:
+
+rustPlatform.buildRustPackage rec {
+  pname = "bao";
+  version = "0.12.0";
+
+  src = fetchCrate {
+    inherit version;
+    pname = "${pname}_bin";
+    sha256 = "SkplBzor7Fv2+6K8wcTtZwjR66RfLPA/YNNUUHniWpM=";
+  };
+
+  cargoSha256 = "yr4HvtOWnU2dFTBgSsbVcuDELe1o1SEtZ7rN/ctKAdI=";
+
+  meta = {
+    description = "An implementation of BLAKE3 verified streaming";
+    homepage = "https://github.com/oconnor663/bao";
+    maintainers = with lib.maintainers; [ amarshall ];
+    license = with lib.licenses; [ cc0 asl20 ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 7eedb84359bc..58b3cc28656c 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -2576,6 +2576,8 @@ with pkgs;
     inherit (darwin.apple_sdk.frameworks) Security;
   };
 
+  bao = callPackage ../tools/security/bao {};
+
   bar = callPackage ../tools/system/bar {};
 
   base16-shell-preview = callPackage ../misc/base16-shell-preview { };