diff --git a/hosts/common.nix b/hosts/common.nix
index 09a4711..2ab28f4 100644
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -7,11 +7,18 @@
 {
   imports = [
     inputs.agenix.nixosModules.default
+    inputs.agenix-rekey.nixosModules.default
     inputs.home-manager.nixosModules.home-manager
     ../modules/nixos
     ../modules/nixos/impermanence.nix
   ];
 
+  age.rekey = {
+    masterIdentities = [ ../secrets/yubikey-nix-primary.pub ];
+    storageMode = "local";
+    localStorageDir = ./. + "/secrets/rekeyed/${config.networking.hostName}";
+  };
+
   nixpkgs = {
     config.allowUnfree = true;
     overlays = [
diff --git a/secrets/yubikey-nix-primary.pub b/secrets/yubikey-nix-primary.pub
new file mode 100644
index 0000000..72b0dc9
--- /dev/null
+++ b/secrets/yubikey-nix-primary.pub
@@ -0,0 +1,7 @@
+#       Serial: 24187788, Slot: 1
+#         Name: YubiKey Nix Primary
+#      Created: Mon, 25 Aug 2025 21:00:00 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Cached (A physical touch is required for decryption, and is cached for 15 seconds)
+#    Recipient: age1yubikey1qwwyem3502gqenzet20xdpjnuhhv2cezvzk590jdta9wqkw48p8gj7n4x96
+AGE-PLUGIN-YUBIKEY-13SFHZQVZDDFHVHQGGYPC3