docs: add documentation about secret key generation

docs/age-keys.md

@@ -0,0 +1,90 @@
+# 🔑 Managing Age Keys for Secrets
+
+This project uses [**age**](https://age-encryption.org) + [**SOPS**](https://github.com/getsops/sops) to manage secrets in Git.  
+You need to create your own **age keypair**, add the public key to the repo, and configure SOPS to use it.
+
+---
+
+## 1. Generate an Age Keypair
+
+On your workstation, run:
+
+```bash
+age-keygen -o ~/.config/age/key.txt
+```
+
+- This creates a new keypair and stores it at `~/.config/age/key.txt`.
+- The private key must **never** be committed to Git. Keep it safe (e.g., in your password manager or vault).
+- The public key looks like this:
+
+```
+age1qlf....yourpublickey....
+```
+
+---
+
+## 2. Add Your Public Key to the Repo
+
+Create (or overwrite) the file:
+
+```
+keys/age.pub
+```
+
+Put your **public key** inside, e.g.:
+
+```txt
+age1qlf....yourpublickey....
+```
+
+Commit this file:
+
+```bash
+git add keys/age.pub
+git commit -m "Add my age public key"
+```
+
+---
+
+## 3. Update `.sops.yaml`
+
+Open `.sops.yaml` in the repo and add your age public key under `creation_rules`:
+
+```yaml
+creation_rules:
+  - path_regex: secrets/.*$
+    key_groups:
+      - age:
+          - age1qlf....yourpublickey....
+```
+
+You can list multiple keys if several people need access.
+
+Commit the update:
+
+```bash
+git add .sops.yaml
+git commit -m "Configure SOPS with my age key"
+```
+
+---
+
+## 4. Test Encryption/Decryption
+
+Encrypt a file:
+
+```bash
+sops -e secrets/example.yaml > secrets/example.enc.yaml
+```
+
+Decrypt it back:
+
+```bash
+sops -d secrets/example.enc.yaml
+```
+
+If everything works, you are ready to store secrets securely in Git.
+
+---
+
+✅ That’s it — your secrets are now protected with your own master key.