• Stars
    star
    16,957
  • Rank 1,625 (Top 0.04 %)
  • Language
    Go
  • License
    BSD 3-Clause "New...
  • Created over 5 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

The age logo, a wireframe of St. Peters dome in Rome, with the text: age, file encryption

Go Reference man page C2SP specification

age is a simple, modern and secure file encryption tool, format, and Go library.

It features small explicit keys, no config options, and UNIX-style composability.

$ age-keygen -o key.txt
Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
$ tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age
$ age --decrypt -i key.txt data.tar.gz.age > data.tar.gz

📜 The format specification is at age-encryption.org/v1. age was designed by @Benjojo12 and @FiloSottile.

📬 Follow the maintenance of this project by subscribing to Maintainer Dispatches!

🦀 An alternative interoperable Rust implementation is available at github.com/str4d/rage.

🔑 Hardware PIV tokens such as YubiKeys are supported through the age-plugin-yubikey plugin.

✨ For more plugins, implementations, tools, and integrations, check out the awesome age list.

💬 The author pronounces it [aɡe̞] with a hard g, like GIF, and is always spelled lowercase.

Installation

Homebrew (macOS or Linux) brew install age
MacPorts port install age
Alpine Linux v3.15+ apk add age
Arch Linux pacman -S age
Debian 12+ (Bookworm) apt install age
Debian 11 (Bullseye) apt install age/bullseye-backports (enable backports for age v1.0.0+)
Fedora 33+ dnf install age
Gentoo Linux emerge app-crypt/age
NixOS / Nix nix-env -i age
openSUSE Tumbleweed zypper install age
Ubuntu 22.04+ apt install age
Void Linux xbps-install age
FreeBSD pkg install age (security/age)
OpenBSD 6.7+ pkg_add age (security/age)
Chocolatey (Windows) choco install age.portable
Scoop (Windows) scoop bucket add extras; scoop install age

On Windows, Linux, macOS, and FreeBSD you can use the pre-built binaries.

https://dl.filippo.io/age/latest?for=linux/amd64
https://dl.filippo.io/age/v1.1.1?for=darwin/arm64
...

If your system has a supported version of Go, you can build from source.

go install filippo.io/age/cmd/...@latest

Help from new packagers is very welcome.

Usage

For the full documentation, read the age(1) man page.

Usage:
    age [--encrypt] (-r RECIPIENT | -R PATH)... [--armor] [-o OUTPUT] [INPUT]
    age [--encrypt] --passphrase [--armor] [-o OUTPUT] [INPUT]
    age --decrypt [-i PATH]... [-o OUTPUT] [INPUT]

Options:
    -e, --encrypt               Encrypt the input to the output. Default if omitted.
    -d, --decrypt               Decrypt the input to the output.
    -o, --output OUTPUT         Write the result to the file at path OUTPUT.
    -a, --armor                 Encrypt to a PEM encoded format.
    -p, --passphrase            Encrypt with a passphrase.
    -r, --recipient RECIPIENT   Encrypt to the specified RECIPIENT. Can be repeated.
    -R, --recipients-file PATH  Encrypt to recipients listed at PATH. Can be repeated.
    -i, --identity PATH         Use the identity file at PATH. Can be repeated.

INPUT defaults to standard input, and OUTPUT defaults to standard output.
If OUTPUT exists, it will be overwritten.

RECIPIENT can be an age public key generated by age-keygen ("age1...")
or an SSH public key ("ssh-ed25519 AAAA...", "ssh-rsa AAAA...").

Recipient files contain one or more recipients, one per line. Empty lines
and lines starting with "#" are ignored as comments. "-" may be used to
read recipients from standard input.

Identity files contain one or more secret keys ("AGE-SECRET-KEY-1..."),
one per line, or an SSH key. Empty lines and lines starting with "#" are
ignored as comments. Passphrase encrypted age files can be used as
identity files. Multiple key files can be provided, and any unused ones
will be ignored. "-" may be used to read identities from standard input.

When --encrypt is specified explicitly, -i can also be used to encrypt to an
identity file symmetrically, instead or in addition to normal recipients.

Multiple recipients

Files can be encrypted to multiple recipients by repeating -r/--recipient. Every recipient will be able to decrypt the file.

$ age -o example.jpg.age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
    -r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg example.jpg

Recipient files

Multiple recipients can also be listed one per line in one or more files passed with the -R/--recipients-file flag.

$ cat recipients.txt
# Alice
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# Bob
age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
$ age -R recipients.txt example.jpg > example.jpg.age

If the argument to -R (or -i) is -, the file is read from standard input.

Passphrases

Files can be encrypted with a passphrase by using -p/--passphrase. By default age will automatically generate a secure passphrase. Passphrase protected files are automatically detected at decrypt time.

$ age -p secrets.txt > secrets.txt.age
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "release-response-step-brand-wrap-ankle-pair-unusual-sword-train".
$ age -d secrets.txt.age > secrets.txt
Enter passphrase:

Passphrase-protected key files

If an identity file passed to -i is a passphrase encrypted age file, it will be automatically decrypted.

$ age-keygen | age -p > key.age
Public key: age1yhm4gctwfmrpz87tdslm550wrx6m79y9f2hdzt0lndjnehwj0ukqrjpyx5
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "hip-roast-boring-snake-mention-east-wasp-honey-input-actress".
$ age -r age1yhm4gctwfmrpz87tdslm550wrx6m79y9f2hdzt0lndjnehwj0ukqrjpyx5 secrets.txt > secrets.txt.age
$ age -d -i key.age secrets.txt.age > secrets.txt
Enter passphrase for identity file "key.age":

Passphrase-protected identity files are not necessary for most use cases, where access to the encrypted identity file implies access to the whole system. However, they can be useful if the identity file is stored remotely.

SSH keys

As a convenience feature, age also supports encrypting to ssh-rsa and ssh-ed25519 SSH public keys, and decrypting with the respective private key file. (ssh-agent is not supported.)

$ age -R ~/.ssh/id_ed25519.pub example.jpg > example.jpg.age
$ age -d -i ~/.ssh/id_ed25519 example.jpg.age > example.jpg

Note that SSH key support employs more complex cryptography, and embeds a public key tag in the encrypted file, making it possible to track files that are encrypted to a specific public key.

Encrypting to a GitHub user

Combining SSH key support and -R, you can easily encrypt a file to the SSH keys listed on a GitHub profile.

$ curl https://github.com/benjojo.keys | age -R - example.jpg > example.jpg.age

Keep in mind that people might not protect SSH keys long-term, since they are revokable when used only for authentication, and that SSH keys held on YubiKeys can't be used to decrypt files.

More Repositories

1

mkcert

A simple zero-config tool to make locally trusted development certificates with any names you'd like.
Go
48,512
star
2

yubikey-agent

yubikey-agent is a seamless ssh-agent for YubiKeys.
Go
2,644
star
3

Heartbleed

A checker (site and tool) for CVE-2014-0160
Go
2,307
star
4

whoami.filippo.io

A ssh server that knows who you are. $ ssh whoami.filippo.io
Go
2,218
star
5

passage

A fork of password-store (https://www.passwordstore.org) that uses age (https://age-encryption.org) as backend.
Shell
790
star
6

gvt

gvt was a minimal go vendoring tool, based on gb-vendor. Today, you want to use modules instead.
Go
730
star
7

homebrew-musl-cross

Homebrew Formula for static-friendly musl-based GCC macOS-to-Linux cross-compilers
Ruby
558
star
8

captive-browser

A dedicated Chrome instance to log into captive portals without messing with DNS settings.
Go
434
star
9

awesome-age

A collection of projects and resources in the age file encryption ecosystem.
322
star
10

mostly-harmless

A bag of various unrelated projects with varying levels of serviceability and destructiveness.
JavaScript
221
star
11

CVE-2016-2107

Simple test for the May 2016 OpenSSL padding oracle (CVE-2016-2107)
Go
185
star
12

vendorcheck

Check that all your Go dependencies are properly vendored
Go
178
star
13

edwards25519

filippo.io/edwards25519 — A safer, faster, and more powerful low-level edwards25519 Go implementation.
Go
133
star
14

mlkem768

A Go implementation of the quantum-resistant key encapsulation method ML-KEM (formerly known as Kyber).
Go
131
star
15

sunlight

A Certificate Transparency log implementation and monitoring API designed for scalability, ease of operation, and reduced cost.
Go
125
star
16

ed25519-dalek-rustgo

Wrapper for curve25519-dalek using rustgo, a technique to directly call Rust code from Go programs with near-zero overhead, meant to replace manually written assembly.
Go
121
star
17

tracetools

Tools to process Go trace logs into various profiles. Complement for "go tool trace".
Go
111
star
18

typage

A TypeScript implementation of the age file encryption format, based on libsodium.
TypeScript
97
star
19

zcash-mini

A minimal portable Zcash z-address generator for offline / paper wallets
Go
96
star
20

BERserk

A Go implementation of the BERserk attack against Mozilla NSS ASN.1 parsing of PKCS#1 RSA signatures with e = 3. Complete of a certificate generation tool, works with CAs in the trust store.
Go
94
star
21

hstools

Library and tools to interact with and analyze Tor HSDirs.
Go
72
star
22

homebrew-gomod

A brew command to cleanly install binaries from Go modules.
Shell
68
star
23

blockchainr

Exploiting ECDSA Failures in the Bitcoin Blockchain
Go
61
star
24

openbsd-fde-crack

Some code to bruteforce OpenBSD softraid encrypted drives - NOT A READY-TO-USE TOOL
Go
57
star
25

intermediates

Package filippo.io/intermediates embeds a bundle of known unexpired, unrevoked intermediate certificates chaining to roots in the Mozilla Root Program
Go
55
star
26

travis-cron

This web app allows you to trigger Travis CI builds periodically
Python
55
star
27

gorebuild

Extract the import path of Go binaries and rebuild them. No more stale GOROOT.
Go
54
star
28

nistec

NIST P elliptic curves (re-exported from crypto/internal/nistec)
Assembly
47
star
29

otherport

LD_PRELOAD hack to redirect connections to other ports
C
42
star
30

powersoftau

An independent implementation of the Powers of Tau MPC ceremony.
Go
33
star
31

HNTitles

Tweet probabilistically generated HN post titles.
Python
29
star
32

go-cpace-ristretto255

An EXPERIMENTAL Go implementation of the CPace PAKE, instantiated with the ristretto255 group.
Go
28
star
33

alum

A forwarding mail server inspired by @alum.mit.edu
Go
18
star
34

xaes256gcm

Package xaes256gcm implements the XAES-256-GCM extended-nonce AEAD.
Go
18
star
35

FiloSottile

18
star
36

keygen

Deterministic key generation for Go.
Go
17
star
37

axel

Axel Download Accelerator [git mirror]
C
15
star
38

b2

Efficient, idiomatic Go library for Backblaze B2 Cloud Storage.
Go
13
star
39

bigmod

A constant-time library for big integers modulo a prime, usable for cryptographic applications. Exported from crypto/internal/bigmod, the backend of crypto/rsa and crypto/ecdsa.
Go
13
star
40

crypto.py

A collection of pure Python crypto implementations. All modules are standalone. Available in Python 2 and Python 3 flavors!
Python
10
star
41

litetlog

A collection of liteweight transparency logging tools, compatible with the Sigsum and Omniwitness ecosystems.
Go
8
star
42

Pendolo-OpenCV

C++
6
star
43

Griffith

Media collection manager [MIRROR]
Python
5
star
44

blog.filippo.io

blog.filippo.io theme. Slightly tweaked 0.9.4 Casper. Pretty please, don't just clone it <3
CSS
4
star
45

homebrew-lite

Modified homebrew-core formula with fewer dependencies.
Ruby
3
star
46

torspec

Forked from git.torproject.org/torspec.git
Python
2
star
47

.github

2
star
48

hs-api-playground

Playground for the Hacker School API
Python
1
star
49

WPA-hazard

Deep into the default WPA generation algorithms
C
1
star
50

homebrew-age

1
star
51

filosottile.github.io

An empty repository for redirecting filosottile.github.io to filippo.io (https://github.com/FiloSottile/filippo.io).
1
star
52

crypto-tls-bogo-shim

A shim to test Go crypto/tls with the BoringSSL test suite. Which is based on crypto/tls. So meta.
Go
1
star