encrypting

`age` A Look At Command Usage

▄︻デʟɨɮʀɛȶɛֆƈɦ-ֆʏֆȶɛʍֆ══━一,
· 4 min read
`age` A Look At Command Usage

age - Simple, modern, and secure file encryption.

SYNOPSIS

age [--encrypt] (-r RECIPIENT | -R PATH)... [--armor] [-o OUTPUT] [INPUT]
    age [--encrypt] --passphrase [--armor] [-o OUTPUT] [INPUT]
    age --decrypt [-i PATH | -j PLUGIN]... [-o OUTPUT] [INPUT]

The age tool provides a robust solution for encrypting and decrypting files. It simplifies the encryption process while ensuring strong security through modern cryptographic standards. age primarily focuses on:

  • Encrypting data to specific recipients or using passphrases.

  • Decrypting data based on available private keys or passphrases.

  • Supports both binary and ASCII armored (Base64-encoded) outputs.

  • A compact, secure design suitable for integration into diverse environments.

  • RECIPIENTS: Public keys or identities to which a file is encrypted. Each recipient can decrypt the file with their corresponding private key.

  • IDENTITIES: Private keys that allow decryption of files encrypted to corresponding recipients.

  • Passphrase: A user-defined secret key used to encrypt or decrypt data interactively, typically used when specific recipient identities are not available.

Encryption Process:

Files are encrypted using public keys or passphrases. The -r option encrypts the file to specific recipients, whereas the --passphrase option allows encryption using a passphrase. In the absence of these options, age will prompt the user for the necessary inputs interactively.

Decryption Process:

Decryption is automatically handled by age based on the format of the encrypted file. If the file is encrypted with a passphrase, age will request the passphrase interactively. Alternatively, it will use the private key specified by the -i option to decrypt the file.

Binary and ASCII Output:

The default output for age is binary, which is suitable for storage and transmission. However, when using the --armor option, the encrypted file is encoded into a text format that is easy to handle in text-based systems.

OPTIONS

General Options:

  • -o, --output=OUTPUT: Directs the encrypted or decrypted content to the specified OUTPUT file. If OUTPUT already exists, it is overwritten. In the case of encryption without --armor, the tool refuses to output binary to a TTY.

  • --version: Displays the age version and exits.

Encryption Options:

  • -e, --encrypt: Default mode for encrypting files. Specifies that the input file should be encrypted.

  • -r, --recipient=RECIPIENT: Encrypts to the recipient's public key, which can be a native X25519 key or an SSH key. This option may be repeated to encrypt for multiple recipients.

  • -R, --recipients-file=PATH: Encrypts for recipients listed in a file, each recipient specified on a new line. Lines starting with # are treated as comments. If PATH is -, recipients are read from standard input.

  • -p, --passphrase: Encrypts the file with a passphrase. The passphrase is requested interactively, and age offers an option to auto-generate a secure passphrase. This mode cannot be combined with other recipient options.

  • --armor: Encrypts the output to an ASCII "armored" encoding (strict Base64). This makes it more suitable for text environments.

  • -i, --identity=PATH: Specifies the path to the private key(s) that correspond to the recipients. Used to generate a file compatible with recipient encryption, allowing seamless encryption to private keys.

  • -j PLUGIN: Specifies the use of a plugin for encryption, typically used for non-standard encryption schemes.

Decryption Options:

  • -d, --decrypt: Decrypts the specified INPUT file. If the file is passphrase-encrypted, the passphrase is automatically detected and requested interactively.

  • -i, --identity=PATH: Specifies the private key file used for decryption. This can be a native age private key, an SSH private key, or a passphrase-protected identity file. The file path can also be - to read from standard input.

  • -j PLUGIN: Decrypts using a plugin, similar to how the plugin is used in encryption. The plugin should contain no data-specific encryption information.

Plugins:

age supports the use of plugins to extend its encryption and decryption functionality. A plugin is used when encryption or decryption requires a non-standard method. The plugin executes specific cryptographic operations as defined by the plugin.

VARIOUS EXAMPLES

1. Encrypt a file to a recipient using a native X25519 key:

age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p file.txt > file.txt.age

2. Encrypt a file to multiple recipients:

age -o file.txt.age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
        -r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg file.txt

3. Encrypt to recipients listed in a file:

cat > recipients.txt
    # Alice
    age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
    # Bob
    age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
    
    age -R recipients.txt file.txt > file.txt.age

4. Encrypt and decrypt a file with a passphrase:

# Encrypt with a passphrase
    age -p secrets.txt > secrets.txt.age
    Enter passphrase (leave empty to autogenerate a secure one):
    Using the autogenerated passphrase "release-response-step-brand-wrap-ankle-pair-unusual-sword-train".
    
    # Decrypt with the same passphrase
    age -d secrets.txt.age > secrets.txt
    Enter passphrase:

5. Encrypt and decrypt with a passphrase-protected identity file:

# Generate a passphrase-protected identity file
    age-keygen | age -p > key.age
    Enter passphrase (leave empty to autogenerate a secure one):
    Using the autogenerated passphrase "hip-roast-boring-snake-mention-east-wasp-honey-input-actress".
    
    # Encrypt using the identity
    age -r age1yhm4gctwfmrpz87tdslm550wrx6m79y9f2hdzt0lndjnehwj0ukqrjpyx5 secrets.txt > secrets.txt.age
    
    # Decrypt using the identity file
    age -d -i key.age secrets.txt.age > secrets.txt
    Enter passphrase for identity file "key.age":

EXIT STATUS

  • 0: Encryption or decryption was successful.
  • 1: An error occurred during the operation.

BACKWARDS COMPATIBILITY

Files encrypted with a stable version of age will be compatible with any later version of the tool. When decrypting older files, age might provide a flag to force the operation if the operation poses a security risk.

The age tool is designed with security and simplicity in mind. It uses strong encryption methods to ensure that your files are protected against unauthorized access, with flexibility in how encryption keys are managed and applied.

Age Github Repo

 This post and comments are published on Nostr.

Related Articles

The Time Machine, by H(erbert) G(eorge) Wells [Page 1] [1898]

The Time Machine, by H(erbert) G(eorge) Wells [Page 1] [1898]

· 69 min read
Courtesy SatoshiHost- Solar System: Helical Visualization of Time’s Passage, Orbital Motion, and Celestial Mechanics

Courtesy SatoshiHost- Solar System: Helical Visualization of Time’s Passage, Orbital Motion, and Celestial Mechanics

· 3 min read
Reticulum: A Network Stack for Censorship-Resistant Communications

Reticulum: A Network Stack for Censorship-Resistant Communications

· 2 min read
Usage and Use Cases for Hockeypuck OpenPGP Public Keyserver:OpenPGP Keyserver for Bitcoin & Nostr Applications In An Ideal World

Usage and Use Cases for Hockeypuck OpenPGP Public Keyserver:OpenPGP Keyserver for Bitcoin & Nostr Applications In An Ideal World

· 2 min read
How to Run a Local Matrix Server for Secure Communications

How to Run a Local Matrix Server for Secure Communications

· 3 min read
Why Signal and Matrix Matter in a World of Mass Surveillance

Why Signal and Matrix Matter in a World of Mass Surveillance

· 1 min read