# age — Simple, Modern File Encryption

> Practical guide to age — simple, modern file encryption with X25519 keys, passphrases and SSH keys as a lean GPG alternative.

Source: https://www.jpkc.com/db/en/cheatsheets/security/age/

<!-- PROSE:intro -->
age is a deliberately simple, modern file-encryption tool by Filippo Valsorda – built as a lean alternative to GPG when all you need is to encrypt files securely. Instead of a sprawling configuration, you work with compact X25519 key pairs or a single passphrase, and you can optionally reuse existing SSH keys as recipients. The two commands `age` and `age-keygen` cover the whole workflow – encrypt, decrypt, generate keys – with no keyring to manage. This guide walks you through the commands you reach for daily, from generating a key pair to building an encrypted backup archive.
<!-- PROSE:intro:end -->

## Key Generation

`age-keygen` — Generate a new key pair (prints to stdout).

```bash
age-keygen
```

`age-keygen -o <file>` — Generate a key pair and save to a file.

```bash
age-keygen -o key.txt
```

`age-keygen -y <key-file>` — Extract the public key from a private key file.

```bash
age-keygen -y key.txt
```

## Encrypt with Recipient Keys

`age -r <public-key> -o <output> <input>` — Encrypt a file for a recipient's public key.

```bash
age -r age1abc123... -o secret.txt.age secret.txt
```

`age -r <key1> -r <key2> -o <output> <input>` — Encrypt for multiple recipients.

```bash
age -r age1abc... -r age1xyz... -o secret.txt.age secret.txt
```

`age -R <recipients-file> -o <output> <input>` — Encrypt using a file of recipient public keys (one per line).

```bash
age -R team-keys.txt -o secret.txt.age secret.txt
```

`age -r <public-key> < <input> > <output>` — Encrypt using stdin/stdout (piping).

```bash
tar czf - secrets/ | age -r age1abc... > secrets.tar.gz.age
```

## Encrypt with Passphrase

`age -p -o <output> <input>` — Encrypt with a passphrase (prompts for input).

```bash
age -p -o backup.tar.gz.age backup.tar.gz
```

`age -p < <input> > <output>` — Passphrase encryption with piping.

```bash
cat secret.txt | age -p > secret.txt.age
```

## Decrypt

`age -d -i <identity> -o <output> <input>` — Decrypt using an identity (private key) file.

```bash
age -d -i key.txt -o secret.txt secret.txt.age
```

`age -d -i <identity> < <input> > <output>` — Decrypt with piping.

```bash
age -d -i key.txt < secrets.tar.gz.age | tar xzf -
```

`age -d -o <output> <input>` — Decrypt a passphrase-encrypted file (prompts for passphrase).

```bash
age -d -o backup.tar.gz backup.tar.gz.age
```

`age -d -i <key1> -i <key2> <input>` — Try multiple identity files for decryption.

```bash
age -d -i personal.key -i work.key secret.txt.age
```

## SSH Key Support

`age -r '<ssh-public-key>' -o <output> <input>` — Encrypt for an SSH public key (ed25519 or RSA).

```bash
age -r 'ssh-ed25519 AAAA...' -o secret.age secret.txt
```

`age -R ~/.ssh/authorized_keys -o <output> <input>` — Encrypt for all SSH keys in authorized_keys.

```bash
age -R ~/.ssh/authorized_keys -o secret.age secret.txt
```

`age -d -i ~/.ssh/id_ed25519 <input>` — Decrypt using an SSH private key.

```bash
age -d -i ~/.ssh/id_ed25519 secret.age > secret.txt
```

## Common Patterns

`tar czf - <dir> | age -r <key> > <output>` — Create an encrypted archive.

```bash
tar czf - secrets/ | age -r age1abc... > secrets.tar.gz.age
```

`age -d -i <key> <input> | tar xzf -` — Decrypt and extract an archive.

```bash
age -d -i key.txt secrets.tar.gz.age | tar xzf -
```

`age-keygen | tee key.txt | age-keygen -y` — Generate key and display public key in one command.

```bash
age-keygen | tee key.txt | age-keygen -y
```

`echo '<secret>' | age -r <key> -a` — Encrypt a string with ASCII armor (text-safe).

```bash
echo 'password123' | age -r age1abc... -a
```

`age -d -i key.txt secret.age | <command>` — Decrypt and pipe directly to a command.

```bash
age -d -i key.txt db-dump.sql.age | mysql -u root mydb
```

<!-- PROSE:outro -->
## Conclusion

age proves that file encryption doesn't have to be complicated: no keyring to manage, no endless options – just short, readable commands. Guard your identity file (the private key) as carefully as a password and never share it; anyone who holds it can decrypt everything meant for you. With the passphrase variant, your encryption is only as strong as the passphrase itself – so make it long and unique. age deliberately stays out of the signing business: it encrypts, nothing more – and does exactly that well.

## Further Reading

- [age – GitHub project](https://github.com/FiloSottile/age) – source code, releases and documentation
- [age-encryption.org](https://age-encryption.org/) – official project site and format specification
<!-- PROSE:outro:end -->

## Related Commands

- [clamav](https://www.jpkc.com/db/en/cheatsheets/security/clamav/) – open-source virus scanner for files and mail
- [fail2ban](https://www.jpkc.com/db/en/cheatsheets/security/fail2ban/) – ban attacker IPs based on log patterns
- [firewalld](https://www.jpkc.com/db/en/cheatsheets/security/firewalld/) – dynamic firewall management with zones