diff --git a/Makefile b/Makefile
index f0c3f88..f305962 100644
--- a/Makefile
+++ b/Makefile
@@ -10,3 +10,18 @@ build:
 
 clean:
 	rm -rf alpine-cloud-images/work
+
+# Adds all tracked encrypted files to .gitignore as safety net
+age-add-gitignore:
+	@for f in $$(yq eval .file_ids[] .ageboxreg.yml); do grep -qxF $$f .gitignore || echo $$f >> .gitignore; done
+
+# Decrypts all secrets, which also removes the .agebox files locally and they show as "deleted" for now
+# This is a design choice of the agebox devs atm
+age-unseal:
+	@agebox decrypt --all
+
+# Encrypts all secrets, but compares the local unencrypted files with the decrypted content from the index first
+# If there are no diffs, just restore the agebox file from the index and delete the unaltered local unencrypted file
+# If there are changes re-encrypt
+age-seal:
+	@for f in $$(yq eval .file_ids[] .ageboxreg.yml); do git restore $${f}.agebox; agebox cat $$f.agebox | diff - $$f && rm -f $$f || ( rm -f $$f.agebox; agebox encrypt $$f --public-keys .agekeys; ); done