diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
index 3362e3e28..52cea1106 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -457,6 +457,29 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para>
   </varlistentry>
 
 
+  <varlistentry><term><literal>netrc-file</literal></term>
+
+    <listitem><para>If set to an absolute path to a <filename>netrc</filename>
+    file, Nix will use the HTTP authentication credentials in this file when
+    trying to download from a remote host through HTTP or HTTPS. Defaults to
+    <filename>$NIX_CONF_DIR/netrc</filename>.</para>
+
+    <para>The <filename>netrc</filename> file consists of a list of
+    accounts in the following format:
+
+<screen>
+machine <replaceable>my-machine</replaceable>
+login <replaceable>my-username</replaceable>
+password <replaceable>my-password</replaceable>
+</screen>
+
+    For the exact syntax, see <link
+    xlink:href="https://ec.haxx.se/usingcurl-netrc.html">the
+    <literal>curl</literal> documentation.</link></para></listitem>
+
+  </varlistentry>
+
+
   <varlistentry><term><literal>system</literal></term>
 
     <listitem><para>This option specifies the canonical Nix system
diff --git a/src/libstore/download.cc b/src/libstore/download.cc
index 82f5f7aa9..d9797ff48 100644
--- a/src/libstore/download.cc
+++ b/src/libstore/download.cc
@@ -114,6 +114,10 @@ struct Curl
         curl_easy_setopt(curl, CURLOPT_PROGRESSFUNCTION, progressCallback_);
         curl_easy_setopt(curl, CURLOPT_PROGRESSDATA, (void *) &curl);
         curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0);
+        /* If no file exist in the specified path, curl continues to work
+         * anyway as if netrc support was disabled. */
+        curl_easy_setopt(curl, CURLOPT_NETRC_FILE, settings.netrcFile.c_str());
+        curl_easy_setopt(curl, CURLOPT_NETRC, CURL_NETRC_OPTIONAL);
     }
 
     ~Curl()
diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc
index 2aba3d2c1..8bf5f8c2e 100644
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -62,6 +62,7 @@ Settings::Settings()
     lockCPU = getEnv("NIX_AFFINITY_HACK", "1") == "1";
     showTrace = false;
     enableImportNative = false;
+    netrcFile = (format("%1%/%2%") % nixConfDir % "netrc").str();
 }
 
 
@@ -190,6 +191,7 @@ void Settings::update()
     _get(preBuildHook, "pre-build-hook");
     _get(keepGoing, "keep-going");
     _get(keepFailed, "keep-failed");
+    _get(netrcFile, "netrc-file");
 
     string subs = getEnv("NIX_SUBSTITUTERS", "default");
     if (subs == "default") {
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index 60b11afe6..3d8351aa1 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -210,6 +210,10 @@ struct Settings {
        build settings */
     Path preBuildHook;
 
+    /* Path to the netrc file used to obtain usernames/passwords for
+       downloads. */
+    Path netrcFile;
+
 private:
     SettingsMap settings, overrides;