← back to agent-env

New machine setup

Get agent-env running on a fresh machine in five steps.

1

Install prerequisites

Install sops and age for encrypted secrets. Skip if using plaintext .env files.

brew install sops age

# Linux: see github.com/getsops/sops + github.com/FiloSottile/age

2

Transfer your Age key

The Age private key is the root of trust — it decrypts everything. Transfer it securely to the new machine.

mkdir -p ~/.config/sops/age
chmod 700 ~/.config/sops/age
3

Install agent-env

One-line install. Requires bash 4+.

curl -fsSL https://raw.githubusercontent.com/jordanburke/agent-env/main/install.sh | bash
4

Sync global secrets

Copy or sync your global secrets file. Since it's SOPS-encrypted, it's safe in dotfiles repos.

# If using chezmoi:
chezmoi apply

# Or copy manually:
scp user@old-machine:~/.config/agent-env/.sops.env ~/.config/agent-env/
5

Verify

Check that everything works. You should see your decrypted keys.

agent-env check
agent-env view

Transferring your Age key

The Age private key can't be encrypted by itself — use a secure out-of-band method.

Bitwarden CLI

recommended

Store (from existing machine):

cat ~/.config/sops/age/keys.txt | bw create item "age-key"

Retrieve (on new machine):

bw get notes "age-key" > ~/.config/sops/age/keys.txt
chmod 600 ~/.config/sops/age/keys.txt

Encrypted vault, cross-platform, team sharing

SCP

quick

Retrieve (on new machine):

scp user@old-machine:~/.config/sops/age/keys.txt ~/.config/sops/age/
chmod 600 ~/.config/sops/age/keys.txt

Direct transfer, no third party, works on any network

1Password / password manager

manual

Retrieve (on new machine):

# Copy from Secure Note into:
# ~/.config/sops/age/keys.txt
chmod 600 ~/.config/sops/age/keys.txt

Works with any password manager, GUI-friendly

Per-machine keys (optional)

For better security, generate a unique Age key per machine. Add all public keys to your .sops.yaml files, then re-encrypt: 

# Generate new key on new machine
age-keygen -o ~/.config/sops/age/keys.txt

# Add the public key to .sops.yaml in each repo
# Then re-encrypt:
sops updatekeys .sops.env

This lets you revoke a single machine without affecting others.

Syncing with dotfiles

Since .sops.env is encrypted, it's safe to store in your dotfiles repo.

Chezmoi

# Add once (existing machine)
chezmoi add ~/.config/agent-env/.sops.env

# Sync (new machine)
chezmoi apply

Git bare repo / stow

# Track the file in your dotfiles
cp ~/.config/agent-env/.sops.env \
   ~/dotfiles/.config/agent-env/

# On new machine: restore