removed yubikey

secrets/README.md

@@ -66,75 +66,3 @@ sops -d secrets/system/wifi.yaml
 # Update .sops.yaml with new keys, then:
 sops updatekeys secrets/system/wifi.yaml
 ```
-
-## Migrating to Yubikey
-
-### 1. Generate a new age identity on Yubikey
-
-```bash
-# Insert Yubikey and run interactive setup
-age-plugin-yubikey
-
-# Follow prompts:
-#   - Select slot (default: 1)
-#   - Set PIN policy (default: once per session)
-#   - Set touch policy (recommended: always)
-#
-# This generates a NEW key on the Yubikey - you will not know the private key.
-# Save the identity to the keys directory:
-age-plugin-yubikey --identity > src/user/config/keys/age/yubikey
-```
-
-The identity file only contains a *reference* to the Yubikey, not the private key.
-It will be deployed to `~/.config/sops/age/keys.txt` on rebuild.
-
-### 2. Update .sops.yaml with Yubikey public key
-
-```bash
-# Get the public key (age1yubikey1...)
-age-plugin-yubikey --list
-
-# Edit .sops.yaml and replace/add the key:
-vim .sops.yaml
-```
-
-```yaml
-keys:
-  - &yubikey age1yubikey1q...  # your Yubikey public key
-
-creation_rules:
-  - path_regex: secrets/.*\.yaml$
-    key_groups:
-      - age:
-          - *yubikey
-```
-
-### 3. Re-key all secrets against the new key
-
-```bash
-# This decrypts with your OLD key and re-encrypts with the NEW key
-find secrets -name "*.yaml" -exec sops updatekeys {} \;
-```
-
-You'll need your old key available during this step.
-
-### 4. Remove the old age key (optional)
-
-```bash
-# Once all secrets are re-keyed and tested:
-# 1. Remove old key from .sops.yaml
-# 2. Delete the old key file from the repo:
-rm src/user/config/keys/age/local  # or whatever your test key was named
-```
-
-### 5. Test decryption with Yubikey
-
-```bash
-# Should prompt for Yubikey touch/PIN
-sops -d secrets/system/wifi.yaml
-
-# Test a full rebuild
-sudo nixos-rebuild switch --flake .#desktop
-```
-
-If decryption works, your migration is complete.