diff --git a/Makefile b/Makefile
index 23dcb9e..8276239 100644
--- a/Makefile
+++ b/Makefile
@@ -15,18 +15,19 @@ clean:
 age-add-gitignore:
 	@touch .gitignore; for f in $$(yq eval .paths[] .age.yml); do grep -qxF $$f .gitignore || echo $$f >> .gitignore; done
 
-# Decrypts all secrets and removes the .age file
+# Decrypts all secrets and deletes encrypted .age
 age-unseal:
 	@for f in $$(yq eval .paths[] .age.yml); do \
 		age --decrypt -i ~/.ssh/git.age -o $$f $$f.age && rm $$f.age; \
 	done
 
-# Encrypts all secrets, but compares the local unencrypted files with the decrypted content from the index first
+# Compares all unencrypted files against last encrypted versions
 # If there are no diffs, just restore the .age file from the index and delete the unaltered local unencrypted file
-# If there are changes re-encrypt
+# otherwise re-encrypt and remove clear text
 age-seal:
 	@keys=$$(yq eval .keys[] .age.yml | sed -e 's/^/-r /' ); \
 	for f in $$(yq eval .paths[] .age.yml); do \
 		[ -f $$f ] || continue; \
-		git restore $${f}.age 2>/dev/null && age --decrypt -i ~/.ssh/git.age $$f.age | diff -q - $$f 2>/dev/null 1>&2 && \
+		git restore $${f}.age 2>/dev/null && \
+		age --decrypt -i ~/.ssh/git.age $$f.age | diff -q - $$f 2>/dev/null 1>&2 && \
 		rm -f $$f || ( rm -f $$f.age; age --encrypt $$keys -o $$f.age $$f && rm -f $$f; ); done
diff --git a/overlay/zdt/configs/access.conf.age b/overlay/zdt/configs/access.conf.age
index 0f64c3b..63556ad 100644
Binary files a/overlay/zdt/configs/access.conf.age and b/overlay/zdt/configs/access.conf.age differ