age — Simple, Modern File Encryption

age is a deliberately simple, modern file-encryption tool by Filippo Valsorda – built as a lean alternative to GPG when all you need is to encrypt files securely. Instead of a sprawling configuration, you work with compact X25519 key pairs or a single passphrase, and you can optionally reuse existing SSH keys as recipients. The two commands age and age-keygen cover the whole workflow – encrypt, decrypt, generate keys – with no keyring to manage. This guide walks you through the commands you reach for daily, from generating a key pair to building an encrypted backup archive.

Key Generation

age-keygen — Generate a new key pair (prints to stdout).

age-keygen

age-keygen -o <file> — Generate a key pair and save to a file.

age-keygen -o key.txt

age-keygen -y <key-file> — Extract the public key from a private key file.

age-keygen -y key.txt

Encrypt with Recipient Keys

age -r <public-key> -o <output> <input> — Encrypt a file for a recipient's public key.

age -r age1abc123... -o secret.txt.age secret.txt

age -r <key1> -r <key2> -o <output> <input> — Encrypt for multiple recipients.

age -r age1abc... -r age1xyz... -o secret.txt.age secret.txt

age -R <recipients-file> -o <output> <input> — Encrypt using a file of recipient public keys (one per line).

age -R team-keys.txt -o secret.txt.age secret.txt

age -r <public-key> < <input> > <output> — Encrypt using stdin/stdout (piping).

tar czf - secrets/ | age -r age1abc... > secrets.tar.gz.age

Encrypt with Passphrase

age -p -o <output> <input> — Encrypt with a passphrase (prompts for input).

age -p -o backup.tar.gz.age backup.tar.gz

age -p < <input> > <output> — Passphrase encryption with piping.

cat secret.txt | age -p > secret.txt.age

Decrypt

age -d -i <identity> -o <output> <input> — Decrypt using an identity (private key) file.

age -d -i key.txt -o secret.txt secret.txt.age

age -d -i <identity> < <input> > <output> — Decrypt with piping.

age -d -i key.txt < secrets.tar.gz.age | tar xzf -

age -d -o <output> <input> — Decrypt a passphrase-encrypted file (prompts for passphrase).

age -d -o backup.tar.gz backup.tar.gz.age

age -d -i <key1> -i <key2> <input> — Try multiple identity files for decryption.

age -d -i personal.key -i work.key secret.txt.age

SSH Key Support

age -r '<ssh-public-key>' -o <output> <input> — Encrypt for an SSH public key (ed25519 or RSA).

age -r 'ssh-ed25519 AAAA...' -o secret.age secret.txt

age -R ~/.ssh/authorized_keys -o <output> <input> — Encrypt for all SSH keys in authorized_keys.

age -R ~/.ssh/authorized_keys -o secret.age secret.txt

age -d -i ~/.ssh/id_ed25519 <input> — Decrypt using an SSH private key.

age -d -i ~/.ssh/id_ed25519 secret.age > secret.txt

Common Patterns

tar czf - <dir> | age -r <key> > <output> — Create an encrypted archive.

tar czf - secrets/ | age -r age1abc... > secrets.tar.gz.age

age -d -i <key> <input> | tar xzf - — Decrypt and extract an archive.

age -d -i key.txt secrets.tar.gz.age | tar xzf -

age-keygen | tee key.txt | age-keygen -y — Generate key and display public key in one command.

age-keygen | tee key.txt | age-keygen -y

echo '<secret>' | age -r <key> -a — Encrypt a string with ASCII armor (text-safe).

echo 'password123' | age -r age1abc... -a

age -d -i key.txt secret.age | <command> — Decrypt and pipe directly to a command.

age -d -i key.txt db-dump.sql.age | mysql -u root mydb

Conclusion

age proves that file encryption doesn't have to be complicated: no keyring to manage, no endless options – just short, readable commands. Guard your identity file (the private key) as carefully as a password and never share it; anyone who holds it can decrypt everything meant for you. With the passphrase variant, your encryption is only as strong as the passphrase itself – so make it long and unique. age deliberately stays out of the signing business: it encrypts, nothing more – and does exactly that well.