diff --git a/sw/secrets.nix b/sw/secrets.nix
index 16ec398..8fd1410 100644
--- a/sw/secrets.nix
+++ b/sw/secrets.nix
@@ -191,8 +191,28 @@ in
     # Auto-discovered secrets with default permissions
     age.secrets = applicableSecrets // cfg.secrets.extraSecrets;
 
-    # Configure identity paths for decryption based on discovered public keys
-    age.identityPaths = identityPaths;
+    # Generate age identity files from SSH host keys at boot
+    # This is needed because age can't reliably use OpenSSH private keys directly
+    system.activationScripts.convertSshToAge = {
+      deps = [ ];
+      text = ''
+        mkdir -p /etc/age
+        if [ -f /etc/ssh/ssh_host_ed25519_key ] && ! [ -f /etc/age/ssh_host_ed25519.age ]; then
+          ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /etc/ssh/ssh_host_ed25519_key > /etc/age/ssh_host_ed25519.age
+          chmod 600 /etc/age/ssh_host_ed25519.age
+        fi
+        if [ -f /etc/ssh/ssh_host_rsa_key ] && ! [ -f /etc/age/ssh_host_rsa.age ]; then
+          ${pkgs.ssh-to-age}/bin/ssh-to-age -private-key -i /etc/ssh/ssh_host_rsa_key > /etc/age/ssh_host_rsa.age 2>/dev/null || true
+          chmod 600 /etc/age/ssh_host_rsa.age 2>/dev/null || true
+        fi
+      '';
+    };
+
+    # Add the converted age keys to identity paths (in addition to auto-discovered ones)
+    age.identityPaths = identityPaths ++ [
+      "/etc/age/ssh_host_ed25519.age"
+      "/etc/age/ssh_host_rsa.age"
+    ];
 
     # Optional: Add assertion to warn if no secrets found
     warnings =