Skip to main content

age - simple, modern and secure file encryption

·3 mins

age is a modern alternative to tools like to older file encryption tools like GPG. It is designed to be simple, modern and secure. age is built using modern encryption primitives and is designed to be easy to use. age works by creating or using public/private key pairs to encrypt and decrypt files. The public key can be shared with others to allow them to encrypt files that only you can decrypt. age is designed to be simple and easy to use.

age can be found on GitHub here. In this article, I will explore age and demonstrate how to use it to encrypt and decrypt files.

Installation #

age is available for a variety of platforms including Linux, macOS, Windows, and more! The easiest way to install age is to use a package manger for your platform. A list of available places to install age can be found here.

Usage #

age can encrypt and decrypt files with either using a passphrase or a public/private key pair. The following examples demonstrate how to use age to encrypt and decrypt files.

Using age with a passphrase #

To encrypt a file using a passphrase, use the following command:

$ age --passphrase --output output.txt.age input.txt
Enter passphrase (leave empty to autogenerate a secure one):
Confirm passphrase:

To decrypt a file using a passphrase, use the age command with the --decrypt option:

❯ age --decrypt --output input.txt output.txt.age
Enter passphrase:

Using age with a public/private key pair #

To encrypt a file using a public/private key pair, use the following command:

❯ age-keygen >> ~/.config/age/keys.txt
age-keygen: warning: writing secret key to a world-readable file
Public key: age1hpct7gdhldvx3q0lj94t5nfp2zhqwq6ksemk65l2xrrvzlykavzsa9ngh0

To encrypt a file using a public/private key pair, use the following command:

tar cvz ~/data | age -r age1hpct7gdhldvx3q0lj94t5nfp2zhqwq6ksemk65l2xrrvzlykavzsa9ngh0 > data.tar.gz.age

To decrypt a file using a public/private key pair, use the following command:

❯ age --decrypt -i ~/.config/age/keys.txt -o data.tar.gz data.tar.gz.age

Using age with SSH Keys #

age can also be used with SSH keys. For example you can use public keys retrieved from GitHub to encrypt files that only the owner of the private key can decrypt. To do this, you can use the following command:

❯ curl https://github.com/aranw.keys | age -R - input.txt > output.txt.age

To decrypt the file this will only be possible with my private key. This is a great way to share files with others without the need for a shared secret or passphrase.

Using a YubiKey with age #

Another fantastic feature of age is the ability to use plugins to extend its functionality. For example, you can use a YubiKey to encrypt and decrypt files. To install the age YubiKey plugin, you can visit the GitHub repository.

Once installed you can use the following command to setup age to work with your YubiKey:

❯ age-plugin-yubikey

This will start an interactive prompt that will help configure age and your YubiKey to work together. Once completed you’ll be able to use your YubiKey to encrypt and decrypt files given the correct recipient id and configuration.

Next #

age is a great tool for encrypting files and is a great alternative to older tools like GPG. I think the next steps for me to explore and combining age with sops or Secrets OPerationS from Mozilla.