diff --git a/machines/.sops.yaml b/machines/.sops.yaml
index 20c00e0c..7482decb 100644
--- a/machines/.sops.yaml
+++ b/machines/.sops.yaml
@@ -95,3 +95,10 @@ creation_rules:
       - *admin_kalipso_dsktp
       age:
       - *admin_atlan
+  - path_regex: secrets/keys/itag/.*/.*
+    key_groups:
+    - pgp:
+      - *admin_kalipso
+      - *admin_kalipso_dsktp
+      age:
+      - *admin_atlan
\ No newline at end of file
diff --git a/scripts/add_new_host_keys.sh b/scripts/add_new_host_keys.sh
index 0a4600e6..8266d3a4 100755
--- a/scripts/add_new_host_keys.sh
+++ b/scripts/add_new_host_keys.sh
@@ -1,7 +1,5 @@
 set -o errexit
-set -o pipefail
-
-dbpath="./machines/secrets/keys/itag.kdbx"
+#set -o pipefail
 
 if [ ! -e flake.nix ]
     then
@@ -18,61 +16,32 @@ if [ ! -e flake.nix ]
     done
 fi
 
-if [ "$1" = "list" ]; then
-    read -sp "Enter password for keepassxc: " pw
-    echo "$pw" | keepassxc-cli ls -R $dbpath hosts
-    exit 0
-    
-elif [ "$1" = "add" ]; then
-    read -p "Enter new host name: " host
-    read -sp "Enter password for keepassxc: " pw
+read -p "Enter new host name: " host
 
-    # Create a temporary directory
-    temp=$(mktemp -d)
+if [ "$host" = "" ]; then exit 0
+fi
 
-    # Function to cleanup temporary directory on exit
-    cleanup() {
-    rm -rf "$temp"
-    }
-    trap cleanup EXIT
+mkdir -p machines/secrets/keys/itag/$host
+cd machines/secrets/keys/itag/$host
 
-    # Generate SSH keys
-    ssh-keygen -f $temp/"$host" -t ed25519 -N ""
-    ssh-keygen -f $temp/"$host"-init -t ed25519 -N ""
+# Generate SSH keys
+ssh-keygen -f "$host" -t ed25519 -N ""
+ssh-keygen -f "$host"-init -t ed25519 -N ""
 
-    ls $temp
+#encrypt the private keys
+sops -e -i ./"$host"
+sops -e -i ./"$host"-init
 
-    # add folder
-    echo "$pw" | keepassxc-cli mkdir $dbpath hosts/$host
+#generate encryption key
+tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 20 > encryption.txt
+sops -e -i ./encryption.txt
 
-    # add entries
-    echo "$pw" | keepassxc-cli add $dbpath hosts/$host/sshkey
-    echo "$pw" | keepassxc-cli add $dbpath hosts/$host/sshkey-init
-    echo "$pw" | keepassxc-cli add -glUn -L 20 $dbpath hosts/$host/encryption
+# Info
+echo
+echo "Hier ist der age public key für sops etc:"
+echo "$(ssh-to-age -i ./$host.pub)"
+echo
+echo "Hier ist eine reproduzierbare mac-addresse:"
+echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
 
-    # Import keys
-    echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey private "$temp/$host"
-    echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey public "$temp/$host.pub"
-
-    # Import init keys
-    echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init private "$temp/$host-init"
-    echo "$pw" | keepassxc-cli attachment-import $dbpath hosts/$host/sshkey-init public "$temp/$host-init.pub"
-
-
-
-    # Info
-    echo
-    echo "Hier ist der age public key für sops etc:"
-    echo "$(ssh-to-age -i $temp/$host.pub)"
-    echo
-    echo "Hier ist eine reproduzierbare mac-addresse:"
-    echo "$host"|md5sum|sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/'
-
-    exit 0
-    
-else
-    echo
-    echo "Add a new host to the DB and generate ssh keys and encryption key."
-    echo "Usage: $0 [list|add]"
-    exit 1
-fi
\ No newline at end of file
+exit 0
\ No newline at end of file