You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
str4d 4aa52a2dbb
Merge pull request #224 from str4d/plugin-api-improvements
1 week ago
.github CI: Build Linux releases with earlier Ubuntu versions 2 weeks ago
HomebrewFormula Update Homebrew formula to 0.5.1 2 months ago
age i18n-embed 0.12 1 month ago
age-core age-core: Start plugin binaries in a temporary working directory 2 months ago
age-plugin age-plugin: Simplify IdentityPluginV1 trait 1 week ago
docs Include completion files in Debian package 1 year ago
fuzz Merge branch 'release-0.5.1' into main 2 months ago
fuzz-afl Merge branch 'release-0.5.1' into main 2 months ago
rage rage: Disable Unicode Directionality Isolation Marks in translations 2 weeks ago
.gitignore added .idea to .gitignore 1 year ago
Cargo.lock cargo update 3 weeks ago
Cargo.toml Empty age-plugin library crate 4 months ago
LICENSE-APACHE Add README and license info 2 years ago
LICENSE-MIT Add README and license info 2 years ago Bump to scrypt 0.6 and bcrypt-pbkdf 0.5 1 month ago
rust-toolchain Bump to scrypt 0.6 and bcrypt-pbkdf 0.5 1 month ago

rage: Rust implementation of age

rage is a simple, modern, and secure file encryption tool, using the age format. It features small explicit keys, no config options, and UNIX-style composability.

The format specification is at To discuss the spec or other age related topics, please email the mailing list at age was designed by @Benjojo12 and @FiloSottile.

The reference interoperable Golang implementation is available at


  rage [--encrypt] -r RECIPIENT [-i IDENTITY] [-a] [-o OUTPUT] [INPUT]
  rage --decrypt [-i IDENTITY] [-o OUTPUT] [INPUT]

Positional arguments:
  INPUT                       Path to a file to read from.

Optional arguments:
  -h, --help                  Print this help message and exit.
  -V, --version               Print version info and exit.
  -e, --encrypt               Encrypt the input (the default).
  -d, --decrypt               Decrypt the input.
  -p, --passphrase            Encrypt with a passphrase instead of recipients.
  --max-work-factor WF        Maximum work factor to allow for passphrase decryption.
  -a, --armor                 Encrypt to a PEM encoded format.
  -r, --recipient RECIPIENT   Encrypt to the specified RECIPIENT. May be repeated.
  -R, --recipients-file PATH  Encrypt to the recipients listed at PATH. May be repeated.
  -i, --identity IDENTITY     Use the identity file at IDENTITY. May be repeated.
  -o, --output OUTPUT         Write the result to the file at path OUTPUT.

INPUT defaults to standard input, and OUTPUT defaults to standard output.

- An age public key, as generated by rage-keygen ("age1...").
- An SSH public key ("ssh-ed25519 AAAA...", "ssh-rsa AAAA...").

PATH is a path to a file containing age recipients, one per line
(ignoring "#" prefixed comments and empty lines).

IDENTITY is a path to a file with age identities, one per line
(ignoring "#" prefixed comments and empty lines), or to an SSH key file.
Multiple identities may be provided, and any unused ones will be ignored.

Multiple recipients

Files can be encrypted to multiple recipients by repeating -r/--recipient. Every recipient will be able to decrypt the file.

$ rage -o example.png.age -r age1uvscypafkkxt6u2gkguxet62cenfmnpc0smzzlyun0lzszfatawq4kvf2u \
    -r age1ex4ty8ppg02555at009uwu5vlk5686k3f23e7mac9z093uvzfp8sxr5jum example.png

Recipient files

Multiple recipients can also be listed one per line in one or more files passed with the -R/--recipients-file flag.

$ cat recipients.txt
# Alice
# Bob
$ rage -R recipients.txt example.jpg > example.jpg.age


Files can be encrypted with a passphrase by using -p/--passphrase. By default rage will automatically generate a secure passphrase.

$ rage -p -o example.png.age example.png
Type passphrase (leave empty to autogenerate a secure one): [hidden]
Using an autogenerated passphrase:
$ rage -d example.png.age >example.png
Type passphrase: [hidden]

SSH keys

As a convenience feature, rage also supports encrypting to ssh-rsa and ssh-ed25519 SSH public keys, and decrypting with the respective private key file. (ssh-agent is not supported.)

$ rage -R ~/.ssh/ example.png > example.png.age
$ rage -d -i ~/.ssh/id_ed25519 example.png.age > example.png

Note that SSH key support employs more complex cryptography, and embeds a public key tag in the encrypted file, making it possible to track files that are encrypted to a specific public key.


On macOS or Linux, you can use Homebrew:

brew tap
brew install rage

On Windows, Linux, and macOS, you can use the pre-built binaries.

If your system has Rust 1.47+ installed (either via rustup or a system package), you can build directly from source:

cargo install rage

Note: previously the rage suite of tools was provided in the age Rust crate. This is no longer the case; age now only contains the Rust library.

Help from new packagers is very welcome.

Feature flags

  • mount enables the rage-mount tool, which can mount age-encrypted TAR or ZIP archives as read-only. It is currently only usable on Unix systems, as it relies on libfuse.

  • ssh (enabled by default) enables support for reusing existing SSH key files for age encryption.

  • unstable enables in-development functionality. Anything behind this feature flag has no stability or interoperability guarantees.


Licensed under either of

at your option.


Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.