Known Issues

ID	Issue	Severity	Status
ISS-001	Downtime computer MAC list not yet confirmed — need to extract from email/ISE	High	Open
ISS-002	Unknown if downtime computers have a dedicated ISE identity group or are mixed with general endpoints	Medium	Open
ISS-003	WLC profile_name may vary — need to confirm exact string match for wireless NAS filter	Medium	Open

Issue

Severity

Status

ISS-001

Downtime computer MAC list not yet confirmed — need to extract from email/ISE

High

Open

ISS-002

Unknown if downtime computers have a dedicated ISE identity group or are mixed with general endpoints

Medium

Open

ISS-003

WLC profile_name may vary — need to confirm exact string match for wireless NAS filter

Medium

Open

INC-2026-04-21-001: Age Encryption Key Mismatch

Severity: Medium
Date: 2026-04-21
Status: Resolved
File Affected: data/d001/projects/downtime-computers.adoc.age

Incident

File re-encrypted using ~/.age/recipients/self.txt which contains a DIFFERENT public key than the one paired with the master private key at ~/.secrets/.metadata/keys/master.age.key. The decrypt-file script uses the master key, so decryption failed: no identity matched any of the recipients.

Root Cause

Two age key pairs exist on the system. ~/.age/recipients/self.txt is NOT paired with ~/.secrets/.metadata/keys/master.age.key. Encryption used the wrong recipient without verifying which private key decrypt-file uses.

Detection

decrypt-file data/d001/projects/downtime-computers.adoc.age
# age: error: no identity matched any of the recipients

Recovery

# 1. Restore original from git history (>| overrides zsh noclobber)
git show HEAD~1:data/d001/projects/downtime-computers.adoc.age >| data/d001/projects/downtime-computers.adoc.age

# 2. Decrypt (works — original used correct key)
decrypt-file data/d001/projects/downtime-computers.adoc.age

# 3. Re-encrypt with correct key derived from master private key
PUBKEY=$(age-keygen -y ~/.secrets/.metadata/keys/master.age.key)
age -e -r "$PUBKEY" -o file.adoc.age file.adoc

# 4. Verify round-trip
decrypt-file file.adoc.age

Prevention

NEVER encrypt with ~/.age/recipients/self.txt — may not match decrypt identity
ALWAYS derive public key from master: age-keygen -y ~/.secrets/.metadata/keys/master.age.key
ALWAYS verify round-trip (encrypt → decrypt → verify) before committing
Correct command:

PUBKEY=$(age-keygen -y ~/.secrets/.metadata/keys/master.age.key)
age -e -r "$PUBKEY" -o file.age file

Key Lesson

git show HEAD~N:path recovers any file from history — even encrypted files overwritten with the wrong key. Git is the backup. >| overrides zsh noclobber.