diff --git a/secrets/REAME.md b/secrets/REAME.md
index 4f432103..9a092fd8 100644
--- a/secrets/REAME.md
+++ b/secrets/REAME.md
@@ -50,9 +50,10 @@ Pretend you want to add a new secret file `xxx.age`, then:
   ```
 3. or you can also encrypt an existing file to `xxx.age` by command:
   ```shell
-  agenix -e ./encrypt/xxx.age < /path/to/xxx
+  cat /path/to/xxx | agenix -e ./encrypt/xxx.age
   ```
 
+the agenix use `~/.ssh/id_ed25519.pub` or `~/.ssh/id_rsa.pub` as encrypt key by default, you need to pass `--identity /path/to/key` to use a custom `/path/to/key.pub` for enctypt.
 
 ## Deploy Secrets
 
diff --git a/secrets/default.nix b/secrets/default.nix
index f4a26805..294296cc 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -9,7 +9,10 @@
     agenix.packages."${pkgs.system}".default 
   ];
 
-  # # wireguard config used with `wg-quick up wg-business`  
+  # if you changed this key, you need to regenerate all encrypt files from the decrypt contents!
+  age.identityPaths = [ "/home/ryan/.ssh/juliet-age" ];
+
+  # wireguard config used with `wg-quick up wg-business`  
   age.secrets."wg-business.conf" = {
     # wether secrets are symlinked to age.secrets.<name>.path
     symlink = true;
diff --git a/secrets/encrypt/smb-credentials.age b/secrets/encrypt/smb-credentials.age
index 140d25ed..ec70dcd7 100644
--- a/secrets/encrypt/smb-credentials.age
+++ b/secrets/encrypt/smb-credentials.age
@@ -1,11 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 YVM6Sg vO0DYm8iol7IBG6rscZq/LQpRHh54+DdOFUR01b6yR0
-gqEePw0Fvo2uDAcwEObd7PLjA2vU6e6JhGGVoGULazA
--> ssh-ed25519 Q4ARMQ fyGN9P+rvYJ8Qk5Iiyjn++Ml/XiVMvk62EshD9JOvDA
-ikPmvDRZwhkHAZ2U8R10QgpJlTTynHI5Vm50xxQiKT8
--> b[1(F-grease 23C oS"65TE ~50zBiB
-eMwvm36CT7qLNS6gXVezB3m8pCKyTbKfuCq3vgi/D4DQXfDq4IdAANp0o6DKuaTX
-gQOZK5zIELG4bHS9SQRW4H7eAjJBUgA
---- 1p8fRawaLk8WpQHYAE7sD016F6bo4agn2UxDuUtZzmI
-g·ógs=kî›½+nN½"±äóoÃ¡/=^÷Z§Ÿ<~ÑÓŽk˜i Gw3óÑ”=(Aˆm	
-úß¼¶êU#’à
\ No newline at end of file
+-> ssh-ed25519 epfRpA jNJBiC/XF/yZK+l5KoQiP9Q4Fd3DmkDy+g4NqFsoe3I
+k1lFpYcTki0wjwFBDoAwRNZED1bbZI563fFs6wF6cQI
+-> ssh-ed25519 Q4ARMQ A5e3ifhn8G+XS16KqT0xtSZVwfE6IXgfN4mP0sr+wQ0
+dKHy5WGc8OxFhlDNEd/ZXPbDcvC7JcFChyK3vkquKjo
+-> b9bIm-grease
+Y+K1G8OK/DI2E0cCD27xOPeneAZ/hFkw8bvNBZRYmQ0kTLf017wNDrLcIbyYTjpa
+/HrKBATlWanuLhzhUFWyBxaJMCqtP35j5TPRCTh7
+--- rSOSvyrgXuiNAx8P3gDV7VaTcbOzwnufTnjhVvsMS7k
+3¤&'§6ažè¢(Ï@OÃÒ2ì'ÕÓ§h&S¹UèãøûÃ…Ù[@¹h=ðFØäzÌ¨ë¢_ä¿Dÿe‡LE{dñ ìs¨%³K’
\ No newline at end of file
diff --git a/secrets/encrypt/wg-business.conf.age b/secrets/encrypt/wg-business.conf.age
index 76829f37..dfb15e4f 100644
Binary files a/secrets/encrypt/wg-business.conf.age and b/secrets/encrypt/wg-business.conf.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index eaa72db6..23237f8f 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,11 +1,11 @@
 # This file is not imported into your NixOS configuration. It is only used for the agenix CLI.
 
 let
-  # get user's ssh public key by command:
-  #     cat ~/.ssh/id_ed25519.pub
+  # get my ssh public key for agenix by command:
+  #     cat ~/.ssh/juliet-age.pub
   # if you do not have one, you can generate it by command:
   #     ssh-keygen -t ed25519
-  ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJx3Sk20pLL1b2PPKZey2oTyioODrErq83xG78YpFBoj";
+  ryan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7FbSWehHoOWCZMDEHLiPCa1ZJ5c6hYMzhKdXssPpE9 ryan@juliet-age";
   users = [ ryan ];
 
   # get system's ssh public key by command:
