diff --git a/.sops.yaml b/.sops.yaml
index 71edf90..9d29a5a 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -3,6 +3,8 @@ keys:
   - &aspi-ssh age1q8lc5340gz5xw2f57nglrss68wv0j0hf36py2pdtrl6ky3yrq9qqk0njr4
   - &pianonix-ssh age1hsmfz8fjxu83sax9lr487h8xr6cyge0apdq4zpge4c8jpcjj2cksj825ct
   - &builder-ssh age1kw4kmdm45zprvdkrrpvgq966l7585vhusmum083qlwnr0xxgd3uqatcyja
+  - &kardorf-ssh age15lxw97z03q40xrdscnxqqugh5ky5aqrerg2t2rphkcqm6rnllurq8v98q5
+
 creation_rules:
   - path_regex: hosts/common/secrets.yaml$
     key_groups:
@@ -10,6 +12,7 @@ creation_rules:
       - *primary
       - *aspi-ssh
       - *pianonix-ssh
+      - *kardorf-ssh
 
   - path_regex: hosts/builder/secrets.yaml$
     key_groups:
diff --git a/hosts/common/global/sops.nix b/hosts/common/global/sops.nix
index 54b136b..28b2822 100644
--- a/hosts/common/global/sops.nix
+++ b/hosts/common/global/sops.nix
@@ -15,7 +15,7 @@ in {
     # TODO: remove? only rely on ssh or pgp keys (e.g. ubikey like misterio is using!!!)
     keyFile = "/home/julian/.config/sops/age/keys.txt";
     # Generate key if none of the above worked. With this, building will still work, just without secrets
-    generateKey = true;
+    generateKey = false; # TODO: building should not work without secrets!?
   };
 
   sops.defaultSopsFile = ../secrets.yaml;