Today, I’d like to introduce you to an easy-to-use encryption tool called Age, which offers security with ‘explicit’ keys and requires no configuration. Age is also available as a Go library.
To install it on macOS:
brew install age
To install it on Ubuntu:
apt install age
To install it on Windows using Scoop:
scoop bucket add extras
scoop install age
Binaries for Windows, Linux, macOS, and FreeBSD are also available on the GitHub page.
To generate a new encryption key, you can use the following command:
age-keygen -o key.txt
This will store the key in key.txt. You can then use it to encrypt a file like this:
age --encrypt -i key.txt -o encrypted_file.age original_file.txt
Alternatively, you can encrypt files resulting from a command, such as creating a tar archive:
tar cvz ~/data | age -r recipient_key1 -r recipient_key2 > data.tar.gz.age
To decrypt a file:
age --decrypt -i key.txt encrypted_file.age > decrypted_file.txt
You can also specify multiple keys for all your recipients:
age -o example.jpg.age -r recipient_key1 -r recipient_key2 example.jpg
If you wish to create a passphrase:
age -p file.txt > file.txt.age
The tool will then prompt you to enter a passphrase or generate one for you.
Age operates without private keys; it uses a single (public) key for both encryption and decryption. Rest assured, Age also supports encryption using SSH public keys (ssh-rsa and ssh-ed25519), with decryption performed using the corresponding private key:
To encrypt using an SSH public key:
age -R ~/.ssh/id_ed25519.pub example.jpg > example.jpg.age
To decrypt using an SSH private key:
age -d -i ~/.ssh/id_ed25519 example.jpg.age > example.jpg
However, be cautious as support for SSH keys involves more complex cryptography and embeds a public key tag in the encrypted file, potentially allowing tracking of files encrypted with that specific key.
For those interested, there is also a Rust implementation available here.
Additionally, a plugin is available for those who want to use their Yubikey with Age. You can explore it here.”