diff --git a/setup-host.txt b/setup-host.txt
index 84db3dd..03e0603 100644
--- a/setup-host.txt
+++ b/setup-host.txt
@@ -7,7 +7,7 @@
 * copy key.bin to hosts/<target>/
 * use the generated config to create new config in hosts/<target>
 * set the actual device IDs in hosts/<target>/default.nix
-* on base host: nix run github:nix-community/nixos-anywhere -- --flake '.#<target>' nixos@<target IP>
+* set or update key for target in .sops.yaml with the output from "ssh-keyscan <host> | ssh-to-age" then "sops updatekeys secrets/*.yaml"
+* if new machine, add a secrets/<machine>.yaml for it
+* on base host: nix run github:nix-community/nixos-anywhere -- --copy-host-keys --flake '.#<target>' nixos@<target IP>
 * after confirmed working, update hosts/<target>/default.nix to set keyFile to /dev/sdX (otherwise when the USB drive fails it's harder to replace)
-* if replacing failed host in place, update key in .sops.yaml with the output from "ssh-keyscan <host> | ssh-to-age" then "sops updatekeys secrets/*.yaml"
-** if installing new host, do the same for install then again after the first reboot (the installer key is not persisted)