diff --git a/.sops.yaml b/.sops.yaml
index 5477595..adfa8d0 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,8 +1,9 @@
 # XXX: missing: macbook, thinknix?, at some point mobile
 keys:
   - &admins age1q80zzsgglj438verw74jghezn8ndpqldvg0mfxzwtaq4v5h7apusqysavz #framenix
+  - &workmac age1fft2ynhazjwtjmxsvt37qervtekktdln2968gjp4vcp5sp3jeg5segkz3x #workmac
   # Generate AGE keys from SSH keys with:
-  # nix-shell -p ssh-to-age --run 'ssh some.example.com /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
+  # nix-shell -p ssh-to-age --run 'ssh some.example.com cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age'
   - &machine_framenix age1kx93vp8l8jd6kz0kvk379udr5z8a9t6946w0ff5t9a2esn47nqzqlfzvwe
 creation_rules:
   # per-host secrets for host specific ones, but for service modules we could store and manage them also per module scope
@@ -15,5 +16,6 @@ creation_rules:
     key_groups:
       - age:
         - *admins
+        - *workmac
         - *machine_framenix