0. Intro

In the previous posts Part 1, Part 2, Part 3 we saw how to encrypt and decrypt files directories and messages with GPG and OpenSSL. In this article we’ll see how to encrypt and decrypt them with Age.

We should avoid using PGP (therefore GPG), since there are a lot problems with this old, dusty tool and it needs to go away. For a detailed information please look at this article: The PGP Problem

As an modern alternative, age is a simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

Age creates it’s asymmetric public&private key pair. And as typical, it uses public version to encrypt and private version to decrypt the file, directories, messages.

As a convenience feature, age also supports encrypting to ssh-rsa and ssh-ed25519 SSH public keys, and decrypting with the respective private key file.

1. Installation

First let’s install age.

# MacOS
$ brew install age
# Ubuntu 22.04+
$ sudo apt install age

For other platforms: Age installation

1.0 Creating Age Keys

In order to create public&private keypair, run below command:

$ age-keygen -o key.txt
Public key: age160p3xkjzyhccn4e0ewwszvzqctl3zy30kh0fqk0kxl6t63w6j4hqxx4zwk

If you look into the content of the key.txt file you will see:

$ cat key.txt

# created: 2022-12-04T18:34:36+03:00
# public key: age160p3xkjzyhccn4e0ewwszvzqctl3zy30kh0fqk0kxl6t63w6j4hqxx4zwk

As usual, you should keep your private key hidden.

You can encrypt this file afterwards or you can create encrypted key file in the first place.

$ age-keygen | age -p > key.age
Public key: age160p3xkjzyhccn4e0ewwszvzqctl3zy30kh0fqk0kxl6t63w6j4hqxx4zwk
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "hip-roast-boring-snake-mention-east-wasp-honey-input-actress".

2. Encryption

2.0 Encryption with Age Keys

You can encrypt files with an age key like below:

age -o secret.txt.age -r age160p3xkjzyhccn4e0ewwszvzqctl3zy30kh0fqk0kxl6t63w6j4hqxx4zwk secret.txt

-r flag stands for recipient, and you can also give flag as verbose: --recipient. -o is for output. So we encrypt secret.txt file for the recipient age160p3xkjzyhccn4e0ewwszvzqctl3zy30kh0fqk0kxl6t63w6j4hqxx4zwk as secret.txt.age.

2.0.0 Multiple Recipients

For multiple recipients pass additional -r flag(s):

$ age -o secret.txt.age \
    -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
    -r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg \

2.0.1 Recipients file

You can use a recipient file for multiple recipients:

$ cat recipients.txt
# Alice
# Bob

$ age -R recipients.txt secret.txt > secret.txt.age

2.1 Encryption with SSH Keys

As mentioned before, age also supports encrypting to ssh-rsa and ssh-ed25519 SSH public keys, and decrypting with the respective private key file. To encrypt:

$ age -R ~/.ssh/id_ed25519.pub secret.txt > secret.txt.age

2.1.0 Encrypting to a GitHub user

Combining SSH key support and -R flg, you can encrypt a file to the SSH keys listed on a GitHub profile.

$ curl https://github.com/SerhatTeker.keys | age -R - secret.txt > secret.txt.age

Yes, You can fetch everyone’s SSH keys which saved on Github in a url like below:

$ curl https://github.com/UserName.keys

3. Decryption

3.0 Age Keys

If a file encrypted by public portion of age keys, you can decrypt it like below:

$ age --decrypt -i key.txt secret.txt.age > secret.txt

Where keys.txt contains the private portion of the age keys.

3.1 SSH Keys

You can decrypt the SSH-keys-encrypted file by running:

$ age -d -i ~/.ssh/id_ed25519 secret.txt.age > secret.txt

For more information look at the offical documentation on age.

All done!