• Stars
    star
    2,594
  • Rank 17,670 (Top 0.4 %)
  • Language
    Rust
  • License
    Apache License 2.0
  • Created about 5 years ago
  • Updated 27 days ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A simple, secure and modern file encryption tool (and Rust library) with small explicit keys, no config options, and UNIX-style composability.

The age logo, an wireframe of St. Peters dome in Rome, with the text: age, file encryption

rage: Rust implementation of age

rage is a simple, modern, and secure file encryption tool, using the age format. It features small explicit keys, no config options, and UNIX-style composability.

The format specification is at age-encryption.org/v1. age was designed by @Benjojo12 and @FiloSottile.

The reference interoperable Go implementation is available at filippo.io/age.

Installation

Environment CLI command
Cargo (Rust 1.59+) cargo install rage
Homebrew (macOS or Linux) brew tap str4d.xyz/rage https://str4d.xyz/rage
brew install rage
openSUSE Tumbleweed zypper install rage-encryption

On Windows, Linux, and macOS, you can use the pre-built binaries.

Help from new packagers is very welcome.

Usage

Usage:
  rage [--encrypt] -r RECIPIENT [-i IDENTITY] [-a] [-o OUTPUT] [INPUT]
  rage --decrypt [-i IDENTITY] [-o OUTPUT] [INPUT]

Positional arguments:
  INPUT                       Path to a file to read from.

Optional arguments:
  -h, --help                  Print this help message and exit.
  -V, --version               Print version info and exit.
  -e, --encrypt               Encrypt the input (the default).
  -d, --decrypt               Decrypt the input.
  -p, --passphrase            Encrypt with a passphrase instead of recipients.
  --max-work-factor WF        Maximum work factor to allow for passphrase decryption.
  -a, --armor                 Encrypt to a PEM encoded format.
  -r, --recipient RECIPIENT   Encrypt to the specified RECIPIENT. May be repeated.
  -R, --recipients-file PATH  Encrypt to the recipients listed at PATH. May be repeated.
  -i, --identity IDENTITY     Use the identity file at IDENTITY. May be repeated.
  -j PLUGIN-NAME              Use age-plugin-PLUGIN-NAME in its default mode as an identity.
  -o, --output OUTPUT         Write the result to the file at path OUTPUT.

INPUT defaults to standard input, and OUTPUT defaults to standard output.

RECIPIENT can be:
- An age public key, as generated by rage-keygen ("age1...").
- An SSH public key ("ssh-ed25519 AAAA...", "ssh-rsa AAAA...").

PATH is a path to a file containing age recipients, one per line
(ignoring "#" prefixed comments and empty lines).

IDENTITY is a path to a file with age identities, one per line
(ignoring "#" prefixed comments and empty lines), or to an SSH key file.
Passphrase-encrypted age identity files can be used as identity files.
Multiple identities may be provided, and any unused ones will be ignored.

Multiple recipients

Files can be encrypted to multiple recipients by repeating -r/--recipient. Every recipient will be able to decrypt the file.

$ rage -o example.png.age -r age1uvscypafkkxt6u2gkguxet62cenfmnpc0smzzlyun0lzszfatawq4kvf2u \
    -r age1ex4ty8ppg02555at009uwu5vlk5686k3f23e7mac9z093uvzfp8sxr5jum example.png

Recipient files

Multiple recipients can also be listed one per line in one or more files passed with the -R/--recipients-file flag.

$ cat recipients.txt
# Alice
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# Bob
age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
$ rage -R recipients.txt example.jpg > example.jpg.age

Passphrases

Files can be encrypted with a passphrase by using -p/--passphrase. By default rage will automatically generate a secure passphrase.

$ rage -p -o example.png.age example.png
Type passphrase (leave empty to autogenerate a secure one): [hidden]
Using an autogenerated passphrase:
    kiwi-general-undo-bubble-dwarf-dizzy-fame-side-sunset-sibling
$ rage -d example.png.age >example.png
Type passphrase: [hidden]

If a binary named pinentry is available in $PATH, it will be used to ask the user for a passphrase. The PINENTRY_PROGRAM environment variable can be used to set the binary name or path to use. If a pinentry binary is not available, or PINENTRY_PROGRAM is set to the empty string, rage will fall back to the CLI instead.

Passphrase-protected identity files

If an identity file passed to -i/--identity is a passphrase-encrypted age file, it will be automatically decrypted.

$ rage -p -o key.age <(rage-keygen)
Public key: age1pymw5hyr39qyuc950tget63aq8vfd52dclj8x7xhm08g6ad86dkserumnz
Type passphrase (leave empty to autogenerate a secure one): [hidden]
Using an autogenerated passphrase:
    flash-bean-celery-network-curious-flower-salt-amateur-fence-giant
$ rage -r age1pymw5hyr39qyuc950tget63aq8vfd52dclj8x7xhm08g6ad86dkserumnz secrets.txt > secrets.txt.age
$ rage -d -i key.age secrets.txt.age > secrets.txt
Type passphrase: [hidden]

Passphrase-protected identity files are not necessary for most use cases, where access to the encrypted identity file implies access to the whole system. However, they can be useful if the identity file is stored remotely.

SSH keys

As a convenience feature, rage also supports encrypting to ssh-rsa and ssh-ed25519 SSH public keys, and decrypting with the respective private key file. (ssh-agent is not supported.)

$ rage -R ~/.ssh/id_ed25519.pub example.png > example.png.age
$ rage -d -i ~/.ssh/id_ed25519 example.png.age > example.png

Note that SSH key support employs more complex cryptography, and embeds a public key tag in the encrypted file, making it possible to track files that are encrypted to a specific public key.

Feature flags

When building with Cargo, you can configure rage using --no-default-features and --features comma,separated,flags to enable or disable the following feature flags:

  • mount enables the rage-mount tool, which can mount age-encrypted TAR or ZIP archives as read-only. It is currently only usable on Unix systems, as it relies on libfuse.

  • ssh (enabled by default) enables support for reusing existing SSH key files for age encryption.

  • unstable enables in-development functionality. Anything behind this feature flag has no stability or interoperability guarantees.

Rust Library

Applications wishing to use rage as a library should use the age crate, which rage is built on top of.

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

More Repositories

1

age-plugin-yubikey

YubiKey plugin for age
Rust
590
star
2

ed25519-java

Pure Java implementation of EdDSA
Java
211
star
3

ire

I2P router implementation in Rust
Rust
150
star
4

zcash-pow

The proof-of-work algorithm for Zcash
Python
80
star
5

wage

A WASM package and web app for encrypting and decrypting age-encrypted files, powered by rage.
Vue
75
star
6

bls

Rust crate for BLS signatures
Rust
30
star
7

fpe

Format-preserving encryption in Rust
Rust
25
star
8

pinentry-rs

Rust interface for pinentry binaries
Rust
24
star
9

memuse

Traits for inspecting memory usage of Rust types
Rust
24
star
10

txi2p

I2P bindings for Twisted.
Python
12
star
11

backflip

Help your Flipper Zero perform tricks!
Rust
10
star
12

addchain

Rust crate for generating addition chains
Rust
8
star
13

zcon1-demo-wasm

JavaScript
7
star
14

age-plugin-remote

[UNFINISHED] Expose local age identities to remote machines via SSH
Rust
6
star
15

partysig

Create and verify distributed multi-party signatures
Python
6
star
16

x509.rs

Pure-Rust X.509 serialization
Rust
5
star
17

girage

[ALPHA STATE] Graphical interface for a simple, secure, and modern encryption tool.
Rust
4
star
18

zk

Rust
4
star
19

halo2-website

Rust
4
star
20

hazmat

A collection of helpers for working with hazardous materials in Rust crates.
Rust
2
star
21

i2p_elgamal

Rust implementation of I2P's 2048-bit ElGamal primitive
Rust
2
star
22

plc

Key management for DID PLC identities
Rust
2
star
23

mostly-harmless

A bag of various unrelated projects with varying levels of serviceability and destructiveness.
Rust
1
star
24

vrf-r255

Implementation of draft-irtf-cfrg-vrf-15 with ristretto255
Rust
1
star