age is a simple, modern file encryption tool. It's designed to replace GPG for file encryption with a simpler, safer design. Uses modern cryptography (X25519, ChaCha20Poly1305, HKDF).
Key Generation
- age-keygen -o key.txt - Generate a new keypair
- age-keygen -y key.txt - Extract public key from keypair
- Public key format: age1...
- Private key format: AGE-SECRET-KEY-1...
Encryption
- age -r age1... -o encrypted.age file.txt - Encrypt with recipient public key
- age -r age1... -r age1... file.txt - Encrypt to multiple recipients
- age -p -o encrypted.age file.txt - Encrypt with passphrase
- cat file.txt | age -r age1... > encrypted.age - Encrypt from stdin
Decryption
- age -d -i key.txt -o decrypted.txt encrypted.age - Decrypt with key file
- age -d encrypted.age - Decrypt with passphrase (prompts)
- age -d -i key.txt encrypted.age - Decrypt to stdout
- cat encrypted.age | age -d -i key.txt - Decrypt from stdin
Options
- -r, --recipient - Recipient public key (can use multiple times)
- -i, --identity - Identity (private key) file
- -o, --output - Output file
- -p, --passphrase - Encrypt with passphrase instead of key
- -d, --decrypt - Decrypt mode
- -y, --yubikey - Use YubiKey for decryption
Common Examples
Generate Keypair
age-keygen -o ~/.age/key.txtCreate a new keypair and save to file.
Encrypt File
age -r age1abc123... -o secret.age secret.txtEncrypt file to recipient.
Decrypt File
age -d -i ~/.age/key.txt -o secret.txt secret.ageDecrypt file with private key.
Passphrase Encryption
age -p -o backup.age backup.tar.gzEncrypt with passphrase (no key needed).
Multiple Recipients
age -r age1... -r age1... -o shared.age document.txtEncrypt so multiple people can decrypt.
Tips
- age is simpler and faster than GPG for file encryption
- Public keys are safe to share (age1... format)
- Keep private keys secure (AGE-SECRET-KEY-1... format)
- Use passphrase mode for quick encryption without key management
- Multiple recipients can decrypt the same file
- Great for encrypting backups, secrets, and sensitive files