# Recovery Notes (age + sops)

## If you lose the age identity
You cannot decrypt existing secrets without the age private key stored in:

- `~/.config/sops/age/keys.txt`

Keep an offline recovery copy (USB/QR/printed).

## Rotating recipients
Add additional recipients to `.sops.yaml` and re-encrypt:

- `sops updatekeys -y secrets/*.enc.yaml`