We should avoid using PGP (therefore GPG), since there are a lot problems with this old, dusty tool and it needs to go away. For a detailed information please look at this article: The PGP Problem
As an modern alternative, age is a simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
Age creates it’s asymmetric public&private key pair. And as typical, it uses public version to encrypt and private version to decrypt the file, directories, messages.
As a convenience feature,
age also supports encrypting to
ssh-ed25519 SSH public keys, and decrypting with the respective private key
First let’s install
# MacOS $ brew install age # Ubuntu 22.04+ $ sudo apt install age
For other platforms: Age installation
In order to create public&private keypair, run below command:
$ age-keygen -o key.txt Public key: age160p3xkjzyhccn4e0ewwszvzqctl3zy30kh0fqk0kxl6t63w6j4hqxx4zwk
If you look into the content of the
key.txt file you will see:
$ cat key.txt # created: 2022-12-04T18:34:36+03:00 # public key: age160p3xkjzyhccn4e0ewwszvzqctl3zy30kh0fqk0kxl6t63w6j4hqxx4zwk AGE-SECRET-KEY-1W2259L9GJ99E28FFQQSFNJMEARKA7LXRP3E927WF0TARNDJ9L87SZCC5ND
As usual, you should keep your private key hidden.
You can encrypt this file afterwards or you can create encrypted key file in the first place.
$ age-keygen | age -p > key.age Public key: age160p3xkjzyhccn4e0ewwszvzqctl3zy30kh0fqk0kxl6t63w6j4hqxx4zwk Enter passphrase (leave empty to autogenerate a secure one): Using the autogenerated passphrase "hip-roast-boring-snake-mention-east-wasp-honey-input-actress".
You can encrypt files with an age key like below:
age -o secret.txt.age -r age160p3xkjzyhccn4e0ewwszvzqctl3zy30kh0fqk0kxl6t63w6j4hqxx4zwk secret.txt
-r flag stands for recipient, and you can also give flag as verbose:
-o is for output. So we encrypt
secret.txt file for the
For multiple recipients pass additional
$ age -o secret.txt.age \ -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \ -r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg \ secret.txt
You can use a recipient file for multiple recipients:
$ cat recipients.txt # Alice age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p # Bob age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg $ age -R recipients.txt secret.txt > secret.txt.age
As mentioned before,
age also supports encrypting to
SSH public keys, and decrypting with the respective private key file. To
$ age -R ~/.ssh/id_ed25519.pub secret.txt > secret.txt.age
Combining SSH key support and
-R flg, you can encrypt a file to the SSH keys
listed on a GitHub profile.
$ curl https://github.com/SerhatTeker.keys | age -R - secret.txt > secret.txt.age
Yes, You can fetch everyone’s SSH keys which saved on Github in a url like below:
$ curl https://github.com/UserName.keys
If a file encrypted by public portion of age keys, you can decrypt it like below:
$ age --decrypt -i key.txt secret.txt.age > secret.txt
keys.txt contains the private portion of the age keys.
You can decrypt the SSH-keys-encrypted file by running:
$ age -d -i ~/.ssh/id_ed25519 secret.txt.age > secret.txt
For more information look at the offical documentation on age.