If you need a remote server to decrypt your encrypted configs (e.g. during sysfig deploy), register it as a node with its own age key. sysfig will automatically re-encrypt all secrets for every registered node on the next sync.
# On the remote server
age-keygen -o ~/.sysfig/keys/server.key
# Public key: age1abc123...sysfig node add myserver age1abc123...sysfig sync --push --message "add myserver node"sysfig re-encrypts every secret for both your master key and the server's public key. Each machine can only decrypt using its own key.
sysfig deploy --host user@myserver git@github.com:you/conf.gitThe server decrypts secrets with its ~/.sysfig/keys/server.key. Your master key never leaves your machine.
sysfig node list # show all registered nodes
sysfig node remove myserver # unregister — re-encrypt single-recipient on next syncAfter
node remove, runsysfig sync --pushto re-encrypt secrets back to single-recipient. The removed server will getage: no identity matched any of the recipientson its next decrypt attempt.