diff --git a/README.md b/README.md
index e3acc7b..131cb80 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,8 @@ git clone git@github.com:Superredstone/nixos.git ~/.nixos && cd .nixos
 	];
 }
 ```
-5) Switch to the new configuration
+5) Follow `secrets/README.md`
+6) Switch to the new configuration
 ```bash
 HOSTNAME=HOSTNAME just switch
 ```
diff --git a/secrets/README.md b/secrets/README.md
new file mode 100644
index 0000000..00021e1
--- /dev/null
+++ b/secrets/README.md
@@ -0,0 +1,21 @@
+# Secrets
+
+## Add a new machine 
+1) Obtain an age identity
+```bash
+nix run nixpkgs#ssh-to-age -- \
+  -private-key \
+  -i $HOME/.ssh/id_ed25519 \
+  -o $HOME/.config/sops/age/keys.txt
+```
+
+2) Obtain age recipient for the machine
+```bash
+cat /etc/ssh/ssh_host_ed25519_key.pub | nix run nixpkgs#ssh-to-age | wl-copy
+```
+
+3) Paste obtained key into `.sops.yaml`
+4) Re-encrypt old files 
+```bash
+sops updatekeys secrets/default.sops.yaml
+```