Skill

sops-add-key

Install

Install the plugin

npx claudepluginhub joaquimscosta/arkhe-claude-plugins --plugin devtools

Want just this skill?

Add to a custom plugin, then install with one command.

Description

Add a new machine's age public key to .sops.yaml and re-encrypt all files. Use for multi-machine setups. Use when user mentions "add key", "add machine", "sops add key", "new machine", "authorize machine", "share key", "add public key", "multi machine sops".

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

SOPS Add Key

Add a new machine's age public key to the project and re-encrypt all files so the new machine can decrypt them.

Workflow

Detect current state:

python3 ${CLAUDE_SKILL_DIR}/../sops-setup/scripts/detect_sops.py <project-root>

Verify prerequisites:
- project.sops_yaml.exists must be true — if not, tell user to run /devtools:sops-setup first
- project.encrypted_files should be non-empty — warn if there are no .enc.yaml files to re-encrypt
- If project.tmp_files is non-empty, warn about stale temporary files (leftover from a failed decrypt/re-encrypt) and suggest the user delete them
Audit key propagation (if encrypted files exist): For each encrypted file, read its YAML and check the sops.age recipients list against project.sops_yaml.authorized_keys. If any authorized key is missing from any file's recipients:
```
WARNING: Key age1xxx...yyy is in .sops.yaml but NOT a recipient in:
  - apps/web/.env.local.enc.yaml
  - apps/api/.env.local.enc.yaml
These files need re-encryption before the corresponding machine can decrypt them.
```
Offer to run sops updatekeys -y <file> for each affected file before proceeding with the new key addition.

Show current authorized keys from project.sops_yaml.authorized_keys:

Currently authorized keys (N):
1. age1abc...def (truncated)
2. age1ghi...jkl (truncated)

Use AskUserQuestion — ask user to paste the new machine's age public key. Validate it starts with age1.
Read .sops.yaml and add the new key to the age: field in creation_rules. Use the Edit tool to append the key to the comma-separated list or multi-line block.
Re-encrypt all files using sops updatekeys:
```
sops updatekeys -y <file>.enc.yaml
```
For each encrypted file. The -y flag auto-confirms. This re-wraps only the data encryption key for the new recipient list — values and MAC are unchanged, producing a minimal diff.

If sops updatekeys is not available (older sops version), fall back to decrypt + re-encrypt:
```
sops --decrypt <file>.enc.yaml > <file>.tmp.yaml
sops --encrypt <file>.tmp.yaml > <file>.enc.yaml
rm <file>.tmp.yaml
```
Verify: After re-encrypting, read each file's sops.age recipients block and confirm all keys from .sops.yaml (including the newly added key) appear as recipients. If any key is missing, warn the user that re-encryption may have failed.

Summary:

| Action | Detail |
|--------|--------|
| Key added | age1xyz... (new machine) |
| .sops.yaml | Updated (now N+1 authorized keys) |
| Re-encrypted | .env.local.enc.yaml |
| Re-encrypted | .env.production.enc.yaml |

Remind user to commit both .sops.yaml and the updated .enc.yaml files.

Key Rotation vs Key Addition

Adding a key (sops updatekeys): Re-wraps the DEK for the new recipient list. Safe, minimal diff. Use for onboarding machines.
Rotating keys (sops rotate -i): Generates a new DEK and re-encrypts every value. Use when a key is compromised or for periodic security hygiene.
If the user mentions a compromised key, recommend sops rotate -i after removing the compromised key from .sops.yaml.

Key Rules

Validate the public key format (must start with age1) before modifying .sops.yaml
Always show the current keys before adding a new one
Re-encrypt ALL .enc.yaml files — missing any would lock out the new machine for those files
Use sops updatekeys (not full decrypt/re-encrypt) for routine key additions
After re-encryption, the new machine can clone and decrypt immediately

Links

Stats

Stars9

Forks1

Last CommitMar 22, 2026

Actions

Similar Skills

skill-lookup

Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.

153.8k

prompt-lookup

Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.

153.8k

algorithmic-art

3 files

Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.

99.3k