Probably you checked it already but this normally happens when you did not add the key to your .sops.yaml or forgot to reference it in the creation_rules.
But none of the master keys have changed; shouldn’t at least one be working?
I don’t know your exact setup but normally you have a key for each host (in my case derived from the ssh keys) that is used during boot/activation. That key needs to be referenced in the .sops.yaml as well. What do you mean by master key?
Basically, I have two Yubikeys and a deterministic age key that can decrypt any secret on any host, just in case I lose the host key somehow.
Okay, problem with the agenix install check: it doesn’t decrypt secrets when rebuilding. But if I don’t put the check, it tries decrypting secrets when I’m installing. Sops-nix doesn’t seem to have this issue. I could switch my setup to sops-nix, but the setup is heavily integrated with passage, and I feel like if I don’t use agenix as well I’m wasting the integration, which is a stupid feeling.