Re-encrypt zai.key.age with all 6 recipients (recovery + 5 boxes)

Each box now has its own per-machine age key at ~/.config/chezmoi/key.txt. The .age file is encrypted to all 6 recipients, so any of them can decrypt zai.key on next chezmoi apply. Implementation note: chezmoi only honors the LAST --age-recipient flag when given multiple. Use --age-recipient-file=path/to/file (one pubkey per line) for multiple recipients in a single call.
2026-06-22 00:16:31 -04:00 · 2026-06-22 00:16:31 -04:00 · 2b06a60d00
commit 2b06a60d00
parent dc72dc3a9a
2 changed files with 20 additions and 12 deletions
--- a/.chezmoi.yaml.tmpl
+++ b/.chezmoi.yaml.tmpl
@ -43,10 +43,10 @@ age:
        # `age-keygen -o ~/.config/chezmoi/key.txt`, paste its public key
        # here, then `chezmoi age rekey`.
        - age1eja7trs8mmsgf0qga0h5fsdltaryxgk4ksumshar5xxtdx0exy3q0a5hc5  # miche (Strix Halo GPU host)
-        # - age1byte_pubkey_placeholder                                 # byte (CachyOS laptop)
-        # - age1kaiser_pubkey_placeholder                              # kaiser (services host)
-        # - age1rye_pubkey_placeholder                                 # rye (Debian Pi)
-        # - age1crouton_pubkey_placeholder                             # crouton (Debian Pi)
+        - age1tzmsrw59zkvh47pwz66gly3s4hdcru76569s8cgv0syfrpmutdxsnlke30  # byte (CachyOS laptop)
+        - age16pl6ad3r44hf3q70xra7fadmllhmnnpmksetr3hr6a0q55kd3f9slvpsdg  # kaiser (services host)
+        - age14yfcz6k3m4q99nuvd22ka8zgtgj6q5jmt0sz3cz0004uhcgddfpq49kxw7  # rye (Debian Pi)
+        - age19d0dqm6nzmhlhuns2qa3z64rua294xvf6l2uy5we5dlrq6z4yvwq6g4y4e  # crouton (Debian Pi)

 data:
    os_family: {{ $osFamily | quote }}