The age command-line utility

2026-01-05

The command-line program age is a delightful little utility for encrypting and decrypting files. It is also packaged and made available for the major Linux distributions.

It has a simple to understand Unix-like interface, serving as an alternative to the cumbersome GnuPG program. As a bonus, it even works with SSH key-pairs that one might already have “lying around”.

Regarding implementation, it relies on the Go programming language standard library for its cryptography primitives. Additionally, one of the co-creators of age is the former Go Security lead, Filippo Valsorda, a bona fide cryptography engineer.

How to use

Encrypting against a SSH public key is fairly simple. It can even support multiple recipients for a single encrypted file.

$ echo "Hello world!" > my-message.txt

$ age -R ~/.ssh/id_ed25519.pub my-message.txt > my-message.txt.age

The encrypted file is not substantially larger than the original, though it carries some overhead. In the case presented, it is still smaller than 4 KB, so it takes the same space on disk as the unencrypted file.

The binary contents of the encrypted file are shown below:

$ xxd my-message.txt.age
00000000: 6167 652d 656e 6372 7970 7469 6f6e 2e6f  age-encryption.o
00000010: 7267 2f76 310a 2d3e 2073 7368 2d65 6432  rg/v1.-> ssh-ed2
00000020: 3535 3139 2053 6d32 6b33 7720 4230 4d67  5519 Sm2k3w B0Mg
00000030: 344f 3549 5347 3750 6d43 452f 4343 6334  4O5ISG7PmCE/CCc4
00000040: 556a 4f43 3155 716a 336f 6d63 3073 6445  UjOC1Uqj3omc0sdE
00000050: 514c 3455 3577 380a 7647 4a52 5a69 5772  QL4U5w8.vGJRZiWr
00000060: 6c70 6162 4d33 4864 3737 5970 3457 6847  lpabM3Hd77Yp4WhG
00000070: 352f 3843 3564 384e 3079 5345 5765 397a  5/8C5d8N0ySEWe9z
00000080: 4a75 490a 2d2d 2d20 7066 3778 765a 4448  JuI.--- pf7xvZDH
00000090: 436a 6855 4d4e 6263 562f 4a44 4735 572f  CjhUMNbcV/JDG5W/
000000a0: 7933 334a 2b52 3864 4271 2b52 2b6b 646b  y33J+R8dBq+R+kdk
000000b0: 5841 340a d95e 0b37 2829 9ec8 76d8 9425  XA4..^.7()..v..%
000000c0: e641 35b5 64f7 5db5 eb3b 9e74 1b38 26a9  .A5.d.]..;.t.8&.
000000d0: a606 051b e217 4d2d 33d7 54be 337b 2a71  ......M-3.T.3{*q
000000e0: 8e                                       .

The decryption step is similarly simple, requiring, of course, the matching SSH private key:

$ age -d -i ~/.ssh/id_ed25519 my-message.txt.age
Hello world!

Since the output and input can be easily piped to and from STDOUT/STDIN, age works well as a building block for more complex scripts.

An interesting application would be implementing something similar to the GNU pass program, allowing me to push passwords in encrypted form to a git repository and then fetch these encrypted blobs from my other machines without needing to trust that my git hosting provider will keep repository contents truly private.