Xuanken Tay

Software engineer who likes statistics, machine learning, DevOps and the cloud

5 minute read

Overview

Age (Actually Good Encryption) was designed by @Benjojo12 and @FiloSottile as a replacement to file encryption tools like GPG using modern algorithm.

If you have used PGP (Pretty Good Privacy) or GPG (Gnu Privacy Guard) before then you would have noticed that these tools have a few drawbacks such as

  • long public key
  • complicated usage - GPG not only does file encryption, but signing services, key management etc
  • potential security vulnerabilities due to its age - eg lack of forward secrecy

Age solves most of these drawbacks of GPG and I recommend using age over PGP/GPG for file encryption if possible. It features small explicit keys, no config options, and UNIX-style composability.

How is “age” pronounced?

The authors pronounces it “aɡe̞”, like the Italian “aghe”.

Key points

  1. age is made up of 2 components - age-keygen which is responsible for public private keys generation and age itself which is the main tool for encrypting & decrypting files.
  2. age supports different forms of encryption:
    • passphrase protection (interactive) - use passphrase to encrypt and decrypt files.
    • asymmetric encryption (aka public-key cryptography) - specify one or more recipients’ public key during encryption. Every recipient will be able to decrypt the file using their individual private key.
  3. By combining the features above, a user also have the option to use a passphrase encrypted key for encryption & decryption.
  4. Another convenient feature age also supports is encrypting to ssh-rsa public keys. This provides users the flexibility and compatibility to work with websites such as Github which don’t support age native keys at the moment.
  5. For example, anyone could encrypt file using my ssh public key at https://github.com/yaeba.keys and trust that only I will be able to decrypt it using the private key.

Installation

Most universal way to install age is to download the latest binary/executable from Github releases and move to somewhere on your PATH.

For me I used the following commands

▶ curl -Ls https://github.com/FiloSottile/age/releases/download/v1.0.0/age-v1.0.0-linux-arm.tar.gz | tar zxf - -C /tmp
▶ sudo mv /tmp/age/age* /usr/local/bin
▶ age --version
v1.0.0
▶ age-keygen --version
v1.0.0

Usage

  1. Generate an age identity file (public-private key pair) 
      ▶ age-keygen -o key.txt
  Public key: age108h70qwx39k5h5x6l9hg566nwm5652lzvamre8vep2e3plsn44uqgy8gla
  2. You can also generate a passphrase-protected identity file 
      ▶ age-keygen | age -p > key.age
  Public key: age1yhm4gctwfmrpz87tdslm550wrx6m79y9f2hdzt0lndjnehwj0ukqrjpyx5
  Enter passphrase (leave empty to autogenerate a secure one):
  3. To encrypt a file using age identity file 
      ▶ age -e \
   -r age108h70qwx39k5h5x6l9hg566nwm5652lzvamre8vep2e3plsn44uqgy8gla \
   file.jpg > file.jpg.age

    Note that you can repeat -r <public-key> to add multiple recipients who can decrypt the file.
    Alternatively, to encrypt a file using passphrase

      ▶ age -e -p file.jpg > file.jpg.age
  Enter passphrase (leave empty to autogenerate a secure one):
  4. To decrypt a file using age identity file 
      ▶ age -d -i key.txt file.jpg.age > file.jpg

    Passphrase protected identity files are automatically detected at decrypt time, and user will be automatically prompted for passphrase.
    Similarly, to decrypt a file using passphrase, simply input the passphrase when prompted

      ▶ age -d file.jpg.age > file.jpg
  Enter passphrase:

Demo

1. Encrypt a file

2. Decrypt a file

Leave a comment

Read more