# Keys Directory

This directory contains GPG/age public keys for sops encryption.

## Structure

- `hosts/` - Host-specific public keys (for servers to decrypt their own secrets)
- `users/` - User/admin public keys (for team members to decrypt secrets)

## Adding Keys

### GPG Keys

Export your GPG public key:
```bash
gpg --export --armor YOUR_KEY_ID > keys/users/yourname.asc
```

Export a host's public key:
```bash
gpg --export --armor HOST_KEY_ID > keys/hosts/hostname.asc
```

### Age Keys

For age keys, save the public key to a file:
```bash
echo "age1..." > keys/users/yourname.age
echo "age1..." > keys/hosts/hostname.age
```

## Usage

When you enter the dev shell (`nix develop`), all keys in these directories will be automatically imported into your GPG keyring via the sops-import-keys-hook.

## Important

- Only commit **public** keys (.asc, .age files with public keys)
- Never commit private keys
- Update `.sops.yaml` to reference the fingerprints/keys for access control