You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
Filippo Valsorda b4e0d7718f
README: remove mailing list mention
3 days ago
.github .github: update "New issue" page (#211) 4 days ago
HomebrewFormula HomebrewFormula: update age.rb to 1.0.0-rc.1 (#199) 1 month ago
agessh cmd/age: add -e and support encrypting with -i 1 month ago
armor age: move package from filippo.io/age/age to filippo.io/age 🤦‍♂️ 10 months ago
cmd cmd/age: use golang.org/x/term instead of deprecated package (#205) 2 weeks ago
internal internal/format: drop go-fuzz test case 1 month ago
testdata cmd/age: expand test vectors suite 2 months ago
.cirrus.yml .github/workflows: switch from Travis CI to GitHub Actions 5 months ago
.gitattributes all: add .gitattributes to protect .age files from autocrlf 2 months ago
LICENSE Initial commit 2 years ago
README.md README: remove mailing list mention 3 days ago
age.go age: make Identity and Recipient work on multiple stanzas 2 months ago
age_test.go age: clean up examples of hardcoded data 7 months ago
go.mod cmd/age: use golang.org/x/term instead of deprecated package (#205) 2 weeks ago
go.sum all: update golang.org/x/crypto 1 month ago
parse.go age,cmd/age: add ParseRecipients and -R for recipient files 4 months ago
primitives.go cmd/age: expand test vectors suite 2 months ago
recipients_test.go age: make Identity and Recipient work on multiple stanzas 2 months ago
scrypt.go cmd/age: expand test vectors suite 2 months ago
x25519.go cmd/age: expand test vectors suite 2 months ago

README.md

age

pkg.go.dev

age is a simple, modern and secure file encryption tool, format, and library.

It features small explicit keys, no config options, and UNIX-style composability.

$ age-keygen -o key.txt
Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
$ tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age
$ age --decrypt -i key.txt data.tar.gz.age > data.tar.gz

The format specification is at age-encryption.org/v1. age was designed by @Benjojo12 and @FiloSottile.

An alternative interoperable Rust implementation is available at github.com/str4d/rage.

Usage

Usage:
    age (-r RECIPIENT | -R PATH)... [--armor] [-o OUTPUT] [INPUT]
    age --passphrase [--armor] [-o OUTPUT] [INPUT]
    age --decrypt [-i PATH]... [-o OUTPUT] [INPUT]

Options:
    -o, --output OUTPUT         Write the result to the file at path OUTPUT.
    -a, --armor                 Encrypt to a PEM encoded format.
    -p, --passphrase            Encrypt with a passphrase.
    -r, --recipient RECIPIENT   Encrypt to the specified RECIPIENT. Can be repeated.
    -R, --recipients-file PATH  Encrypt to recipients listed at PATH. Can be repeated.
    -d, --decrypt               Decrypt the input to the output.
    -i, --identity PATH         Use the identity file at PATH. Can be repeated.

INPUT defaults to standard input, and OUTPUT defaults to standard output.

RECIPIENT can be an age public key generated by age-keygen ("age1...")
or an SSH public key ("ssh-ed25519 AAAA...", "ssh-rsa AAAA...").

Recipient files contain one or more recipients, one per line. Empty lines
and lines starting with "#" are ignored as comments. "-" may be used to
read recipients from standard input.

Identity files contain one or more secret keys ("AGE-SECRET-KEY-1..."),
one per line, or an SSH key. Empty lines and lines starting with "#" are
ignored as comments. Multiple key files can be provided, and any unused ones
will be ignored. "-" may be used to read identities from standard input.

Multiple recipients

Files can be encrypted to multiple recipients by repeating -r/--recipient. Every recipient will be able to decrypt the file.

$ age -o example.jpg.age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
    -r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg example.jpg

Recipient files

Multiple recipients can also be listed one per line in one or more files passed with the -R/--recipients-file flag.

$ cat recipients.txt
# Alice
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# Bob
age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
$ age -R recipients.txt example.jpg > example.jpg.age

If the argument to -R (or -i) is -, the file is read from standard input.

Passphrases

Files can be encrypted with a passphrase by using -p/--passphrase. By default age will automatically generate a secure passphrase. Passphrase protected files are automatically detected at decrypt time.

$ age -p secrets.txt > secrets.txt.age
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "release-response-step-brand-wrap-ankle-pair-unusual-sword-train".
$ age -d secrets.txt.age > secrets.txt
Enter passphrase:

SSH keys

As a convenience feature, age also supports encrypting to ssh-rsa and ssh-ed25519 SSH public keys, and decrypting with the respective private key file. (ssh-agent is not supported.)

$ age -R ~/.ssh/id_ed25519.pub example.jpg > example.jpg.age
$ age -d -i ~/.ssh/id_ed25519 example.jpg.age > example.jpg

Note that SSH key support employs more complex cryptography, and embeds a public key tag in the encrypted file, making it possible to track files that are encrypted to a specific public key.

Encrypting to a GitHub user

Combining SSH key support and -R, you can easily encrypt a file to the SSH keys listed on a GitHub profile.

$ curl https://github.com/benjojo.keys | age -R - example.jpg > example.jpg.age

Keep in mind that people might not protect SSH keys long-term, since they are revokable when used only for authentication, and that SSH keys held on YubiKeys can't be used to decrypt files.

Installation

On macOS or Linux, you can use Homebrew:

brew tap filippo.io/age https://filippo.io/age
brew install age

On Windows, Linux, and macOS, you can use the pre-built binaries.

If your system has Go 1.13+, you can build from source:

git clone https://filippo.io/age && cd age
go build -o . filippo.io/age/cmd/...

On Arch Linux, age is available in the official repositories:

sudo pacman -Syu age

On OpenBSD -current and 6.7+, you can use the port:

pkg_add age

On all supported versions of FreeBSD, you can build the security/age port or use pkg:

pkg install age

Help from new packagers is very welcome.