Re-encrypt zai.key.age with all 6 recipients (recovery + 5 boxes)

Each box now has its own per-machine age key at ~/.config/chezmoi/key.txt. The .age file is encrypted to all 6 recipients, so any of them can decrypt zai.key on next chezmoi apply. Implementation note: chezmoi only honors the LAST --age-recipient flag when given multiple. Use --age-recipient-file=path/to/file (one pubkey per line) for multiple recipients in a single call.
2026-06-22 00:16:31 -04:00 · 2026-06-22 00:16:31 -04:00 · 2b06a60d00
commit 2b06a60d00
parent dc72dc3a9a
2 changed files with 20 additions and 12 deletions
--- a/.chezmoi.yaml.tmpl
+++ b/.chezmoi.yaml.tmpl
@ -43,10 +43,10 @@ age:
        # `age-keygen -o ~/.config/chezmoi/key.txt`, paste its public key
        # here, then `chezmoi age rekey`.
        - age1eja7trs8mmsgf0qga0h5fsdltaryxgk4ksumshar5xxtdx0exy3q0a5hc5  # miche (Strix Halo GPU host)
-        # - age1byte_pubkey_placeholder                                 # byte (CachyOS laptop)
-        # - age1kaiser_pubkey_placeholder                              # kaiser (services host)
-        # - age1rye_pubkey_placeholder                                 # rye (Debian Pi)
-        # - age1crouton_pubkey_placeholder                             # crouton (Debian Pi)
+        - age1tzmsrw59zkvh47pwz66gly3s4hdcru76569s8cgv0syfrpmutdxsnlke30  # byte (CachyOS laptop)
+        - age16pl6ad3r44hf3q70xra7fadmllhmnnpmksetr3hr6a0q55kd3f9slvpsdg  # kaiser (services host)
+        - age14yfcz6k3m4q99nuvd22ka8zgtgj6q5jmt0sz3cz0004uhcgddfpq49kxw7  # rye (Debian Pi)
+        - age19d0dqm6nzmhlhuns2qa3z64rua294xvf6l2uy5we5dlrq6z4yvwq6g4y4e  # crouton (Debian Pi)

 data:
    os_family: {{ $osFamily | quote }}
--- a/private_dot_omp/agent/zai.key.age
+++ b/private_dot_omp/agent/zai.key.age
@ -1,10 +1,18 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZWhIcnM5cDBjeXNsSFJD
-YmNrVXEyRitzcHpIUms0S281SElvNzBFMG40CkI0ck1MRlk1c0pxWnpwc3ZxTEFR
-UVJCbk5TWFluZXpzUGlNVEk4alNXWE0KLT4gWDI1NTE5IEVBV2tkS3pyS3lITWdV
-U0JuaTExTjFqbElUQ0FzTTlNUVEzZVVOdlFFRzQKc3c3WXBtQVR4NitoZXYveDZL
-aFNtWng2WFBSVE5QSTg4VngwVVFiVUxFOAotLS0gaHlYRTROc3BTWS9IYVVNZlhy
-aWZvbThPZm94MG41Nk9kZGNTKzlZM3FMRQo8aM6b1YkAxYJLXq+49I2LazKrOF6U
-vUpLSW9ArUFQZuCYjexGzGpJXEjWjpbjOv6nV7LZAIN+brCNYLV2SEHp2Gq+Uny8
-ljyD+SUwXgVerdzP
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpOHNWNTI4K0dVZnV6TEpw
+bTA4cURyTHNZdU5uZ1pBN1UvaDlpYXg0OWw0ClZkTGN1S1JrTExVbURMbWI5bDNr
+L2habmpSWW93NXZRMVpvNERWUnJDK0UKLT4gWDI1NTE5IE16SWxTNlFvcHhxckN0
+YlhKYnFVQ1BsTTEvTzJTKzQ0VVNqaEFYMUZLUm8KK2RVcGZudjJUdlkvRUdvZ3Fn
+bUF6c1AyQ0NPdWZRVTJSYzRpQUpBdTllcwotPiBYMjU1MTkgK0hKcHVYMXJ1NXNB
+cEVJR2J3dEtWY05qTGJ4SzkyYVY2Q1djVTlESlNoUQo3UVJ1SDlrVkVQSG1nSXUr
+dHlOeEE1RjhWUDlKMHl1MTlNWjlvaWtEMGtZCi0+IFgyNTUxOSB4SE44SWk1QVdw
+VkFac3RhbW1vdHdwVUtpTGZFYkpkTCs0cnRHMWhUN1NnClFvVEhENzZTS2dzem9u
+cS9TakxwS01FZDdjY29McE9pTng3cTgxeVVVckEKLT4gWDI1NTE5IFQwQ0xNT0Qz
+a2tGUmdWOFNKRGwveW54Wi9zbUZZZi9MQU43bnNBYnRDR1UKejNZWDVCMEJRTjlC
+dktwc1lFR1RsNk9wZkY3eG5pY2ZvTFVtb2d6SlJrRQotPiBYMjU1MTkgbkM4cUZD
+eDlDUGZXNE1pKzVWRzdnMTU2NjNmSlA1Y1d3WDZOOE1Fb1BsRQp2OUVmOWRXZ1Ju
+Uzc4eGF1L3A4R2w1bUY2OXZCVVdrMkxjZ2xxMjVWTGNZCi0tLSBnRzJRZ2xzb1dr
+M3Q1Zjg5dkVPdnI0dEZuNUZpU3BFOVUxckNpTlg2S2drCqbNOobTCfj1kViqGBp8
+CVfJCZbRpiDxi+MJlAjUQbCjrL6+4sHUTEwwV24DbcPFi1Jv8QRxEj7/iyCZS09q
+o8iXjo/bHLWFGmfofx+LFKp64ts=
 -----END AGE ENCRYPTED FILE-----