How to use Age: a simple and user-friendly yet very effective encryption tool

How to use Age: a simple and user-friendly yet very effective encryption tool

5/5 - (51 votes)

Today, I would like to present to you a user-friendly encryption tool that is secure with “explicit” keys and requires no configuration. Its name is Age, and it is also available as a Go library.

To install it on macOS:

brew install age

To install it on Ubuntu:

apt install age

To install it on Windows:

scoop bucket add extras; scoop install age

Binaries for Windows, Linux, macOS, and FreeBSD are also available on the Github page. To generate a new encryption key, you can proceed as follows:

age-keygen -o key.txt

This key will be stored in key.txt. Then you can use it to encrypt a file like this:

age --encrypt -i key.txt -o file.age file.txt

Or directly with the key using the -r parameter. In the example below, I also show that you can encrypt files that are the result of a command (here, the creation of a tar archive):

tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age

And to decrypt this file:

age --decrypt -i key.txt file.age > file.txt

And you can also specify multiple keys for all your recipients.

age -o example.jpg.age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
-r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg example.jpg

You can also request the creation of a password phrase with the -p parameter.

age -p file.txt > file.txt.age

The tool will then ask you to enter a password phrase or generate one for you.

As you can see, there is no private key. Just a big (public) key that is used for both encryption and decryption. Rest assured, Age also supports encryption from SSH ssh-rsa and ssh-ed25519 public keys, and decryption is done with the corresponding private key.

To encrypt:

age -R ~/.ssh/ example.jpg > example.jpg.age

To decrypt:

age -d -i ~/.ssh/id_ed25519 example.jpg.age > example.jpg

However, be aware that support for SSH keys uses more complex cryptography and incorporates a public key tag in the encrypted file, which allows tracking of files encrypted with this specific key.

And if you’re interested, there is also a Rust implementation available here. In addition, there is a plugin for those who want to use their Yubikey with this tool.

Discover it here.