How to Encrypt and Decrypt Files and Data With Age - Part IV
In the previous posts Part 1, Part 2, Part 3 we saw how to encrypt and
decrypt files directories and messages with
OpenSSL. In this article
we’ll see how to encrypt and decrypt them with Age.
We should avoid using PGP (therefore GPG), since there are a lot problems with this old, dusty tool and it needs to go away. For a detailed information please look at this article: The PGP Problem
As an modern alternative, age is a simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
Age creates it’s asymmetric public&private key pair. And as typical, it uses public version to encrypt and private version to decrypt the file, directories, messages.
As a convenience feature,
age also supports encrypting to
ssh-ed25519 SSH public keys, and decrypting with the respective private key
First let’s install
# MacOS $ brew install age # Ubuntu 22.04+ $ sudo apt install age
For other platforms: Age installation
1.0 Creating Age Keys
In order to create public&private keypair, run below command:
$ age-keygen -o key.txt Public key: age160p3xkjzyhccn4e0ewwszvzqctl3zy30kh0fqk0kxl6t63w6j4hqxx4zwk
If you look into the content of the
key.txt file you will see:
$ cat key.txt # created: 2022-12-04T18:34:36+03:00 # public key: age160p3xkjzyhccn4e0ewwszvzqctl3zy30kh0fqk0kxl6t63w6j4hqxx4zwk AGE-SECRET-KEY-1W2259L9GJ99E28FFQQSFNJMEARKA7LXRP3E927WF0TARNDJ9L87SZCC5ND
As usual, you should keep your private key hidden.
You can encrypt this file afterwards or you can create encrypted key file in the first place.
$ age-keygen | age -p > key.age Public key: age160p3xkjzyhccn4e0ewwszvzqctl3zy30kh0fqk0kxl6t63w6j4hqxx4zwk Enter passphrase (leave empty to autogenerate a secure one): Using the autogenerated passphrase "hip-roast-boring-snake-mention-east-wasp-honey-input-actress".
2.0 Encryption with Age Keys
You can encrypt files with an age key like below:
age -o secret.txt.age -r age160p3xkjzyhccn4e0ewwszvzqctl3zy30kh0fqk0kxl6t63w6j4hqxx4zwk secret.txt
-r flag stands for recipient, and you can also give flag as verbose:
-o is for output. So we encrypt
secret.txt file for the
2.0.0 Multiple Recipients
For multiple recipients pass additional
$ age -o secret.txt.age \ -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \ -r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg \ secret.txt
2.0.1 Recipients file
You can use a recipient file for multiple recipients:
$ cat recipients.txt # Alice age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p # Bob age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg $ age -R recipients.txt secret.txt > secret.txt.age
2.1 Encryption with SSH Keys
As mentioned before,
age also supports encrypting to
SSH public keys, and decrypting with the respective private key file. To
$ age -R ~/.ssh/id_ed25519.pub secret.txt > secret.txt.age
2.1.0 Encrypting to a GitHub user
Combining SSH key support and
-R flg, you can encrypt a file to the SSH keys
listed on a GitHub profile.
$ curl https://github.com/SerhatTeker.keys | age -R - secret.txt > secret.txt.age
Yes, You can fetch everyone’s SSH keys which saved on Github in a url like below:
$ curl https://github.com/UserName.keys
3.0 Age Keys
If a file encrypted by public portion of age keys, you can decrypt it like below:
$ age --decrypt -i key.txt secret.txt.age > secret.txt
keys.txt contains the private portion of the age keys.
3.1 SSH Keys
You can decrypt the SSH-keys-encrypted file by running:
$ age -d -i ~/.ssh/id_ed25519 secret.txt.age > secret.txt
For more information look at the offical documentation on age.