diff --git a/configuration.nix b/configuration.nix
index 0b926c9..b398d3e 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -102,6 +102,7 @@ in {
     };
   };
 
+
   time.timeZone = "UTC";
 
   users = {
diff --git a/flake.nix b/flake.nix
index 0eb3487..fa101aa 100644
--- a/flake.nix
+++ b/flake.nix
@@ -39,6 +39,11 @@
           ./zfs.nix
 
           agenix.nixosModules.default
+
+          {
+            #age.secrets.zfs-passphrase.file = ./secrets/hel1-a/zfs-passphrase.age;
+            age.secrets.x.file = ./secrets/hel1-a/zfs-passphrase.age;
+          }
         ];
       };
 
@@ -62,7 +67,8 @@
       devShells.default = with pkgs;
         mkShell {
           packages = [
-              pkgs.age
+              pkgs.rage
+              pkgs.age-plugin-yubikey
               agenix.packages.${system}.agenix
               deploy-rs.packages.${system}.deploy-rs
           ];
diff --git a/secrets.nix b/secrets.nix
new file mode 100644
index 0000000..fd881fb
--- /dev/null
+++ b/secrets.nix
@@ -0,0 +1,10 @@
+let
+  motiejus = "age1yubikey1qtwmhf7h7ljs3dyx06wyzme4st6w4calkdpmsxgpxc9t2cldezvasd6n8wg";
+  users = [ motiejus ];
+
+  hel1-a = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6Wd2lKrpP2Gqul10obMo2dc1xKaaLv0I4FAnfIaFKu";
+  systems = [ hel1-a ];
+in
+{
+  "secrets/hel1-a/zfs-passphrase.age".publicKeys = [ motiejus hel1-a ];
+}
diff --git a/secrets/hel1-a/zfs-passphrase.age b/secrets/hel1-a/zfs-passphrase.age
new file mode 100644
index 0000000..c3496e9
--- /dev/null
+++ b/secrets/hel1-a/zfs-passphrase.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 vDjOfg KnpCkORn/iztI4mW7KJSPWz7w5+suCy0DbpSal9/NUY
+1brrf3mbnQuswCz96J/vy0cnKw5gFH1SZ0pQFKZK4Do
+-> piv-p256 +y2G/w Ayr131SxWAZEaUgyXLS8TcyccefAkG5MG/Zx6xHj0kOH
+eyy7OTR7xQb94FI6vWRULLC0kpps5S7jDMmZh6PNyBQ
+-> Bgmf{-grease
+J0eB9JaT3C/6anoo+SSMly9Pr7PIOckxVwi8WXx47tCfbzHUVq5xW07QNoT8QJPS
+EghExahZE0OEgMwVB1gS0IHnaygSpkklCUTJ235cQTadBXyDRYdTJ5BHFtb0
+--- xYpDb8+FYgwnhvK5U+VS9uhj7z6WwoYuZieFtuQYtKs
+Ø¹ +sDàŠ$Ç²00îWºÞÐƒ³ðX9¹ÔRQoòÏkú^UqtL‚	©N._6sl5¬—íN4âä¼3;
\ No newline at end of file
diff --git a/secrets/identity.txt b/secrets/identity.txt
new file mode 100644
index 0000000..5c0a5b4
--- /dev/null
+++ b/secrets/identity.txt
@@ -0,0 +1,9 @@
+#       Serial: 9089636, Slot: 1
+#         Name: motiejus/config-secrets
+#      Created: Wed, 05 Apr 2023 12:14:28 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1qtwmhf7h7ljs3dyx06wyzme4st6w4calkdpmsxgpxc9t2cldezvasd6n8wg
+AGE-PLUGIN-YUBIKEY-1VJEG5QYZLVKCDLCCDUEEX
+
+