2021-05-25 18:35:00 +00:00
<!DOCTYPE html>
< html >
< head >
2023-04-22 09:53:03 +00:00
< meta http-equiv = 'content-type' content = 'text/html;charset=utf8' >
< meta name = 'generator' content = 'Ronn-NG/v0.9.1 (http://github.com/apjanke/ronn-ng/tree/0.9.1)' >
2021-05-25 18:35:00 +00:00
< title > age(1) - simple, modern, and secure file encryption< / title >
< style type = 'text/css' media = 'all' >
/* style: man */
body#manpage {margin:0}
.mp {max-width:100ex;padding:0 9ex 1ex 4ex}
.mp p,.mp pre,.mp ul,.mp ol,.mp dl {margin:0 0 20px 0}
.mp h2 {margin:10px 0 0 0}
.mp > p,.mp > pre,.mp > ul,.mp > ol,.mp > dl {margin-left:8ex}
.mp h3 {margin:0 0 0 4ex}
.mp dt {margin:0;clear:left}
.mp dt.flush {float:left;width:8ex}
.mp dd {margin:0 0 0 9ex}
.mp h1,.mp h2,.mp h3,.mp h4 {clear:left}
.mp pre {margin-bottom:20px}
.mp pre+h2,.mp pre+h3 {margin-top:22px}
.mp h2+pre,.mp h3+pre {margin-top:5px}
.mp img {display:block;margin:auto}
.mp h1.man-title {display:none}
.mp,.mp code,.mp pre,.mp tt,.mp kbd,.mp samp,.mp h3,.mp h4 {font-family:monospace;font-size:14px;line-height:1.42857142857143}
.mp h2 {font-size:16px;line-height:1.25}
.mp h1 {font-size:20px;line-height:2}
.mp {text-align:justify;background:#fff}
.mp,.mp code,.mp pre,.mp pre code,.mp tt,.mp kbd,.mp samp {color:#131211}
.mp h1,.mp h2,.mp h3,.mp h4 {color:#030201}
.mp u {text-decoration:underline}
.mp code,.mp strong,.mp b {font-weight:bold;color:#131211}
.mp em,.mp var {font-style:italic;color:#232221;text-decoration:none}
.mp a,.mp a:link,.mp a:hover,.mp a code,.mp a pre,.mp a tt,.mp a kbd,.mp a samp {color:#0000ff}
.mp b.man-ref {font-weight:normal;color:#434241}
.mp pre {padding:0 4ex}
.mp pre code {font-weight:normal;color:#434241}
.mp h2+pre,h3+pre {padding-left:0}
ol.man-decor,ol.man-decor li {margin:3px 0 10px 0;padding:0;float:left;width:33%;list-style-type:none;text-transform:uppercase;color:#999;letter-spacing:1px}
ol.man-decor {width:100%}
ol.man-decor li.tl {text-align:left}
ol.man-decor li.tc {text-align:center;letter-spacing:4px}
ol.man-decor li.tr {text-align:right;float:right}
< / style >
< / head >
<!--
The following styles are deprecated and will be removed at some point:
div#man, div#man ol.man, div#man ol.head, div#man ol.man.
The .man-page, .man-decor, .man-head, .man-foot, .man-title, and
.man-navigation should be used instead.
-->
< body id = 'manpage' >
< div class = 'mp' id = 'man' >
< div class = 'man-navigation' style = 'display:none' >
< a href = "#NAME" > NAME< / a >
< a href = "#SYNOPSIS" > SYNOPSIS< / a >
< a href = "#DESCRIPTION" > DESCRIPTION< / a >
< a href = "#OPTIONS" > OPTIONS< / a >
< a href = "#RECIPIENTS-AND-IDENTITIES" > RECIPIENTS AND IDENTITIES< / a >
2021-09-04 16:08:15 +00:00
< a href = "#EXIT-STATUS" > EXIT STATUS< / a >
< a href = "#BACKWARDS-COMPATIBILITY" > BACKWARDS COMPATIBILITY< / a >
2021-05-25 18:35:00 +00:00
< a href = "#EXAMPLES" > EXAMPLES< / a >
< a href = "#SEE-ALSO" > SEE ALSO< / a >
< a href = "#AUTHORS" > AUTHORS< / a >
< / div >
< ol class = 'man-decor man-head man head' >
< li class = 'tl' > age(1)< / li >
< li class = 'tc' > < / li >
< li class = 'tr' > age(1)< / li >
< / ol >
2023-04-22 09:53:03 +00:00
< h2 id = "NAME" > NAME< / h2 >
2021-05-25 18:35:00 +00:00
< p class = "man-name" >
< code > age< / code > - < span class = "man-whatis" > simple, modern, and secure file encryption< / span >
< / p >
< h2 id = "SYNOPSIS" > SYNOPSIS< / h2 >
2023-04-22 09:53:03 +00:00
< p > < code > age< / code > [< code > --encrypt< / code > ] (< code > -r< / code > < var > RECIPIENT< / var > | < code > -R< / code > < var > PATH< / var > )... [< code > --armor< / code > ] [< code > -o< / code > < var > OUTPUT< / var > ] [< var > INPUT< / var > ]< br >
< code > age< / code > [< code > --encrypt< / code > ] < code > --passphrase< / code > [< code > --armor< / code > ] [< code > -o< / code > < var > OUTPUT< / var > ] [< var > INPUT< / var > ]< br >
< code > age< / code > < code > --decrypt< / code > [< code > -i< / code > < var > PATH< / var > | < code > -j< / code > < var > PLUGIN< / var > ]... [< code > -o< / code > < var > OUTPUT< / var > ] [< var > INPUT< / var > ]< br > < / p >
2021-05-25 18:35:00 +00:00
< h2 id = "DESCRIPTION" > DESCRIPTION< / h2 >
< p > < code > age< / code > encrypts or decrypts < var > INPUT< / var > to < var > OUTPUT< / var > . The < var > INPUT< / var > argument is
optional and defaults to standard input. Only a single < var > INPUT< / var > file may be
specified. If < code > -o< / code > is not specified, < var > OUTPUT< / var > defaults to standard output.< / p >
2022-05-24 13:59:08 +00:00
< p > If < code > -p< / code > /< code > --passphrase< / code > is specified, the file is encrypted with a passphrase
2021-05-25 18:35:00 +00:00
requested interactively. Otherwise, it's encrypted to one or more
< a href = "#RECIPIENTS-AND-IDENTITIES" title = "RECIPIENTS AND IDENTITIES" data-bare-link = "true" > RECIPIENTS< / a > specified with < code > -r< / code > /< code > --recipient< / code > or
< code > -R< / code > /< code > --recipients-file< / code > . Every recipient can decrypt the file.< / p >
2022-05-24 13:59:08 +00:00
< p > In < code > -d< / code > /< code > --decrypt< / code > mode, passphrase-encrypted files are detected automatically
and the passphrase is requested interactively. Otherwise, one or more
2021-05-25 18:35:00 +00:00
< a href = "#RECIPIENTS-AND-IDENTITIES" title = "RECIPIENTS AND IDENTITIES" data-bare-link = "true" > IDENTITIES< / a > specified with < code > -i< / code > /< code > --identity< / code > are
used to decrypt the file.< / p >
< p > < code > age< / code > encrypted files are binary and not malleable, with around 200 bytes of
overhead per recipient, plus 16 bytes every 64KiB of plaintext.< / p >
< h2 id = "OPTIONS" > OPTIONS< / h2 >
< dl >
2023-04-22 09:53:03 +00:00
< dt >
< code > -o< / code > , < code > --output< / code > =< var > OUTPUT< / var >
< / dt >
< dd > Write encrypted or decrypted file to < var > OUTPUT< / var > instead of standard output.
If < var > OUTPUT< / var > already exists it will be overwritten.
< p > If encrypting without < code > --armor< / code > , < code > age< / code > will refuse to output binary to a
TTY. This can be forced by specifying < code > -< / code > as < var > OUTPUT< / var > .< / p >
< / dd >
< dt > < code > --version< / code > < / dt >
< dd > Print the version and exit.< / dd >
2021-05-25 18:35:00 +00:00
< / dl >
< h3 id = "Encryption-options" > Encryption options< / h3 >
< dl >
2023-04-22 09:53:03 +00:00
< dt >
< code > -e< / code > , < code > --encrypt< / code >
< / dt >
< dd > Encrypt < var > INPUT< / var > to < var > OUTPUT< / var > . This is the default.< / dd >
< dt >
< code > -r< / code > , < code > --recipient< / code > =< var > RECIPIENT< / var >
< / dt >
< dd > Encrypt to the explicitly specified < var > RECIPIENT< / var > . See the
< a href = "#RECIPIENTS-AND-IDENTITIES" title = "RECIPIENTS AND IDENTITIES" data-bare-link = "true" > RECIPIENTS AND IDENTITIES< / a > section for possible recipient formats.
< p > This option can be repeated and combined with other recipient flags,
and the file can be decrypted by all provided recipients independently.< / p >
< / dd >
< dt >
< code > -R< / code > , < code > --recipients-file< / code > =< var > PATH< / var >
< / dt >
< dd > Encrypt to the < a href = "#RECIPIENTS-AND-IDENTITIES" title = "RECIPIENTS AND IDENTITIES" data-bare-link = "true" > RECIPIENTS< / a > listed in the
2021-05-25 18:35:00 +00:00
file at < var > PATH< / var > , one per line. Empty lines and lines starting with < code > #< / code >
2023-04-22 09:53:03 +00:00
are ignored as comments.
2021-05-25 18:35:00 +00:00
2023-04-22 09:53:03 +00:00
< p > If < var > PATH< / var > is < code > -< / code > , the recipients are read from standard input. In
2021-05-25 18:35:00 +00:00
this case, the < var > INPUT< / var > argument must be specified.< / p >
2023-04-22 09:53:03 +00:00
< p > This option can be repeated and combined with other recipient flags,
and the file can be decrypted by all provided recipients independently.< / p >
< / dd >
< dt >
< code > -p< / code > , < code > --passphrase< / code >
< / dt >
< dd > Encrypt with a passphrase, requested interactively from the terminal.
< code > age< / code > will offer to auto-generate a secure passphrase.
< p > This option can't be used with other recipient flags.< / p >
< / dd >
< dt >
< code > -a< / code > , < code > --armor< / code >
< / dt >
< dd > Encrypt to an ASCII-only "armored" encoding.
< p > < code > age< / code > armor is a strict version of PEM with type < code > AGE ENCRYPTED FILE< / code > ,
2021-05-25 18:35:00 +00:00
canonical "strict" Base64, no headers, and no support for leading and
trailing extra data.< / p >
2023-04-22 09:53:03 +00:00
< p > Decryption transparently detects and decodes ASCII armoring.< / p >
< / dd >
< dt >
< code > -i< / code > , < code > --identity< / code > =< var > PATH< / var >
< / dt >
< dd > Encrypt to the < a href = "#RECIPIENTS-AND-IDENTITIES" title = "RECIPIENTS AND IDENTITIES" data-bare-link = "true" > RECIPIENTS< / a > corresponding to the
2022-05-24 13:59:08 +00:00
< a href = "#RECIPIENTS-AND-IDENTITIES" title = "RECIPIENTS AND IDENTITIES" data-bare-link = "true" > IDENTITIES< / a > listed in the file at < var > PATH< / var > . This
is equivalent to converting the file at < var > PATH< / var > to a recipients file with
2023-04-22 09:53:03 +00:00
< code > age-keygen -y< / code > and then passing that to < code > -R< / code > /< code > --recipients-file< / code > .
2022-05-24 13:59:08 +00:00
2023-04-22 09:53:03 +00:00
< p > For the format of < var > PATH< / var > , see the definition of < code > -i< / code > /< code > --identity< / code > in the
2022-05-24 13:59:08 +00:00
< a href = "#Decryption-options" title = "Decryption options" data-bare-link = "true" > Decryption options< / a > section.< / p >
2023-04-22 09:53:03 +00:00
< p > < code > -e< / code > /< code > --encrypt< / code > must be explicitly specified when using < code > -i< / code > /< code > --identity< / code >
in encryption mode to avoid confusion.< / p >
< / dd >
< dt >
< code > -j< / code > < var > PLUGIN< / var >
< / dt >
< dd > Encrypt using the data-less < a href = "#Plugins" title = "Plugins" data-bare-link = "true" > plugin< / a > < var > PLUGIN< / var > .
2022-05-24 13:59:08 +00:00
2023-04-22 09:53:03 +00:00
< p > This is equivalent to using < code > -i< / code > /< code > --identity< / code > with a file that contains a
2022-05-24 13:59:08 +00:00
single plugin < code > IDENTITY< / code > that encodes no plugin-specific data.< / p >
2023-04-22 09:53:03 +00:00
< p > < code > -e< / code > /< code > --encrypt< / code > must be explicitly specified when using < code > -j< / code > in encryption
mode to avoid confusion.< / p >
< / dd >
2021-05-25 18:35:00 +00:00
< / dl >
< h3 id = "Decryption-options" > Decryption options< / h3 >
< dl >
2023-04-22 09:53:03 +00:00
< dt >
< code > -d< / code > , < code > --decrypt< / code >
< / dt >
< dd > Decrypt < var > INPUT< / var > to < var > OUTPUT< / var > .
2021-05-25 18:35:00 +00:00
2023-04-22 09:53:03 +00:00
< p > If < var > INPUT< / var > is passphrase encrypted, it will be automatically detected
2021-05-25 18:35:00 +00:00
and the passphrase will be requested interactively. Otherwise, the
< a href = "#RECIPIENTS-AND-IDENTITIES" title = "RECIPIENTS AND IDENTITIES" data-bare-link = "true" > IDENTITIES< / a > specified with < code > -i< / code > /< code > --identity< / code >
are used.< / p >
2023-04-22 09:53:03 +00:00
< p > ASCII armoring is transparently detected and decoded.< / p >
< / dd >
< dt >
< code > -i< / code > , < code > --identity< / code > =< var > PATH< / var >
< / dt >
< dd > Decrypt using the < a href = "#RECIPIENTS-AND-IDENTITIES" title = "RECIPIENTS AND IDENTITIES" data-bare-link = "true" > IDENTITIES< / a > at < var > PATH< / var > .
2021-05-25 18:35:00 +00:00
2023-04-22 09:53:03 +00:00
< p > < var > PATH< / var > may be one of the following:< / p >
2021-05-25 18:35:00 +00:00
2023-04-22 09:53:03 +00:00
< p > a. A file listing < a href = "#RECIPIENTS-AND-IDENTITIES" title = "RECIPIENTS AND IDENTITIES" data-bare-link = "true" > IDENTITIES< / a > one per line.
2021-05-25 18:35:00 +00:00
Empty lines and lines starting with "< code > #< / code > " are ignored as comments.< / p >
2023-04-22 09:53:03 +00:00
< p > b. A passphrase encrypted age file, containing
2021-06-14 11:20:51 +00:00
< a href = "#RECIPIENTS-AND-IDENTITIES" title = "RECIPIENTS AND IDENTITIES" data-bare-link = "true" > IDENTITIES< / a > one per line like above.
The passphrase is requested interactively. Note that passphrase-protected
identity files are not necessary for most use cases, where access to the
encrypted identity file implies access to the whole system.< / p >
2023-04-22 09:53:03 +00:00
< p > c. An SSH private key file, in PKCS#1, PKCS#8, or OpenSSH format.
2021-05-25 18:35:00 +00:00
If the private key is password-protected, the password is requested
interactively only if the SSH identity matches the file. See the
< a href = "#SSH-keys" title = "SSH keys" data-bare-link = "true" > SSH keys< / a > section for more information, including supported key types.< / p >
2023-04-22 09:53:03 +00:00
< p > d. "< code > -< / code > ", causing one of the options above to be read from standard input.
2021-05-25 18:35:00 +00:00
In this case, the < var > INPUT< / var > argument must be specified.< / p >
2023-04-22 09:53:03 +00:00
< p > This option can be repeated. Identities are tried in the order in which are
2022-05-24 13:59:08 +00:00
provided, and the first one matching one of the file's recipients is used.
Unused identities are ignored, but it is an error if the < var > INPUT< / var > file is
2023-04-22 09:53:03 +00:00
passphrase-encrypted and < code > -i< / code > /< code > --identity< / code > is specified.< / p >
< / dd >
< dt >
< code > -j< / code > < var > PLUGIN< / var >
< / dt >
< dd > Decrypt using the data-less < a href = "#Plugins" title = "Plugins" data-bare-link = "true" > plugin< / a > < var > PLUGIN< / var > .
< p > This is equivalent to using < code > -i< / code > /< code > --identity< / code > with a file that contains a
single plugin < code > IDENTITY< / code > that encodes no plugin-specific data.< / p >
< / dd >
2021-05-25 18:35:00 +00:00
< / dl >
< h2 id = "RECIPIENTS-AND-IDENTITIES" > RECIPIENTS AND IDENTITIES< / h2 >
< p > < code > RECIPIENTS< / code > are public values, like a public key, that a file can be encrypted
to. < code > IDENTITIES< / code > are private values, like a private key, that allow decrypting
a file encrypted to the corresponding < code > RECIPIENT< / code > .< / p >
< h3 id = "Native-X25519-keys" > Native X25519 keys< / h3 >
< p > Native < code > age< / code > key pairs are generated with < a class = "man-ref" href = "age-keygen.1.html" > age-keygen< span class = "s" > (1)< / span > < / a > , and provide small
encodings and strong encryption based on X25519. They are the recommended
recipient type for most applications.< / p >
< p > A < code > RECIPIENT< / code > encoding begins with < code > age1< / code > and looks like the following:< / p >
< pre > < code > age1gde3ncmahlqd9gg50tanl99r960llztrhfapnmx853s4tjum03uqfssgdh
< / code > < / pre >
< p > An < code > IDENTITY< / code > encoding begins with < code > AGE-SECRET-KEY-1< / code > and looks like the
following:< / p >
< pre > < code > AGE-SECRET-KEY-1KTYK6RVLN5TAPE7VF6FQQSKZ9HWWCDSKUGXXNUQDWZ7XXT5YK5LSF3UTKQ
< / code > < / pre >
< p > An encrypted file can't be linked to the native recipient it's encrypted to
without access to the corresponding identity.< / p >
< h3 id = "SSH-keys" > SSH keys< / h3 >
< p > As a convenience feature, < code > age< / code > also supports encrypting to RSA or Ed25519
< span class = "man-ref" > ssh< span class = "s" > (1)< / span > < / span > keys. RSA keys must be at least 2048 bits. This feature employs more
complex cryptography, and should only be used when a native key is not available
for the recipient. Note that SSH keys might not be protected long-term by the
recipient, since they are revokable when used only for authentication.< / p >
< p > A < code > RECIPIENT< / code > encoding is an SSH public key in < code > authorized_keys< / code > format
(see the < code > AUTHORIZED_KEYS FILE FORMAT< / code > section of < span class = "man-ref" > sshd< span class = "s" > (8)< / span > < / span > ), starting with
< code > ssh-rsa< / code > or < code > ssh-ed25519< / code > , like the following:< / p >
< pre > < code > ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULTit0KUehbi[...]GU4BtElAbzh8=
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9pO5pz22JZEas[...]l1uZc31FGYMXa
< / code > < / pre >
< p > The comment at the end of the line, if present, is ignored.< / p >
< p > In recipient files passed to < code > -R< / code > /< code > --recipients-file< / code > , unsupported but valid
SSH public keys are ignored with a warning, to facilitate using
< code > authorized_keys< / code > or GitHub < code > .keys< / code > files. (See < a href = "#EXAMPLES" title = "EXAMPLES" data-bare-link = "true" > EXAMPLES< / a > .)< / p >
< p > An < code > IDENTITY< / code > is an SSH private key < em > file< / em > passed individually to
< code > -i< / code > /< code > --identity< / code > . Note that keys held on hardware tokens such as YubiKeys
or accessed via < span class = "man-ref" > ssh-agent< span class = "s" > (1)< / span > < / span > are not supported.< / p >
< p > An encrypted file < em > can< / em > be linked to the SSH public key it was encrypted to.
This is so that < code > age< / code > can identify the correct SSH private key before
requesting its password, if any.< / p >
2022-05-24 13:59:08 +00:00
< h3 id = "Plugins" > Plugins< / h3 >
< p > < code > age< / code > can be extended through plugins. A plugin is only loaded if a corresponding
< code > RECIPIENT< / code > or < code > IDENTITY< / code > is specified. (Simply decrypting a file encrypted with
a plugin will not cause it to load, for security reasons among others.)< / p >
< p > A < code > RECIPIENT< / code > for a plugin named < code > example< / code > starts with < code > age1example1< / code > , while an
< code > IDENTITY< / code > starts with < code > AGE-PLUGIN-EXAMPLE-1< / code > . They both encode arbitrary
plugin-specific data, and are generated by the plugin.< / p >
< p > When either is specified, < code > age< / code > searches for < code > age-plugin-example< / code > in the PATH
and executes it to perform the file header encryption or decryption. The plugin
may request input from the user through < code > age< / code > to complete the operation.< / p >
< p > Plugins can be freely mixed with other plugins or natively supported keys.< / p >
< p > A plugin is not bound to only encrypt or decrypt files meant for or generated by
the plugin. For example, a plugin can be used to decrypt files encrypted to a
native X25519 < code > RECIPIENT< / code > or even with a passphrase. Similarly, a plugin can
encrypt a file such that it can be decrypted without the use of any plugin.< / p >
< p > Plugins for which the < code > IDENTITY< / code > /< code > RECIPIENT< / code > distinction doesn't make sense
(such as a symmetric encryption plugin) may generate only an < code > IDENTITY< / code > and
instruct the user to perform encryption with the < code > -e< / code > /< code > --encrypt< / code > and
< code > -i< / code > /< code > --identity< / code > flags. Plugins for which the concept of separate identities
doesn't make sense (such as a password-encryption plugin) may instruct the user
to use the < code > -j< / code > flag.< / p >
2021-09-04 16:08:15 +00:00
< h2 id = "EXIT-STATUS" > EXIT STATUS< / h2 >
2021-09-25 13:57:46 +00:00
< p > < code > age< / code > will exit 0 if and only if encryption or decryption are successful for the
2021-09-04 16:08:15 +00:00
full length of the input.< / p >
< p > If an error occurs during decryption, partial output might still be generated,
2022-09-28 09:47:53 +00:00
but only if it was possible to securely authenticate it. No unauthenticated
2021-09-04 16:08:15 +00:00
output is ever released.< / p >
< h2 id = "BACKWARDS-COMPATIBILITY" > BACKWARDS COMPATIBILITY< / h2 >
< p > Files encrypted with a stable version (not alpha, beta, or release candidate) of
< code > age< / code > , or with any v1.0.0 beta or release candidate, will decrypt with any later
version of the tool.< / p >
< p > If decrypting older files poses a security risk, doing so might cause an error
2021-09-08 10:35:24 +00:00
by default. In this case, a flag will be provided to force the operation.< / p >
2021-09-04 16:08:15 +00:00
2021-05-25 18:35:00 +00:00
< h2 id = "EXAMPLES" > EXAMPLES< / h2 >
< p > Generate a new identity, encrypt data, and decrypt:< / p >
< pre > < code > $ age-keygen -o key.txt
Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
$ tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age
$ age -d -o data.tar.gz -i key.txt data.tar.gz.age
< / code > < / pre >
< p > Encrypt < code > example.jpg< / code > to multiple recipients and output to < code > example.jpg.age< / code > :< / p >
< pre > < code > $ age -o example.jpg.age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
-r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg example.jpg
< / code > < / pre >
< p > Encrypt to a list of recipients:< / p >
< pre > < code > $ cat > recipients.txt
# Alice
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# Bob
age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
$ age -R recipients.txt example.jpg > example.jpg.age
< / code > < / pre >
< p > Encrypt and decrypt a file using a passphrase:< / p >
< pre > < code > $ age -p secrets.txt > secrets.txt.age
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "release-response-step-brand-wrap-ankle-pair-unusual-sword-train".
$ age -d secrets.txt.age > secrets.txt
Enter passphrase:
< / code > < / pre >
2021-06-14 11:20:51 +00:00
< p > Encrypt and decrypt with a passphrase-protected identity file:< / p >
< pre > < code > $ age-keygen | age -p > key.age
Public key: age1yhm4gctwfmrpz87tdslm550wrx6m79y9f2hdzt0lndjnehwj0ukqrjpyx5
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "hip-roast-boring-snake-mention-east-wasp-honey-input-actress".
$ age -r age1yhm4gctwfmrpz87tdslm550wrx6m79y9f2hdzt0lndjnehwj0ukqrjpyx5 secrets.txt > secrets.txt.age
$ age -d -i key.age secrets.txt.age > secrets.txt
Enter passphrase for identity file "key.age":
< / code > < / pre >
2021-05-25 18:35:00 +00:00
< p > Encrypt and decrypt with an SSH public key:< / p >
< pre > < code > $ age -R ~/.ssh/id_ed25519.pub example.jpg > example.jpg.age
$ age -d -i ~/.ssh/id_ed25519 example.jpg.age > example.jpg
< / code > < / pre >
2022-05-24 13:59:08 +00:00
< p > Encrypt and decrypt with age-plugin-yubikey:< / p >
< pre > < code > $ age-plugin-yubikey # run interactive setup, generate identity file and obtain recipient
$ age -r age1yubikey1qwt50d05nh5vutpdzmlg5wn80xq5negm4uj9ghv0snvdd3yysf5yw3rhl3t secrets.txt > secrets.txt.age
$ age -d -i age-yubikey-identity-388178f3.txt secrets.txt.age
< / code > < / pre >
2021-05-25 18:35:00 +00:00
< p > Encrypt to the SSH keys of a GitHub user:< / p >
< pre > < code > $ curl https://github.com/benjojo.keys | age -R - example.jpg > example.jpg.age
< / code > < / pre >
< h2 id = "SEE-ALSO" > SEE ALSO< / h2 >
< p > < a class = "man-ref" href = "age-keygen.1.html" > age-keygen< span class = "s" > (1)< / span > < / a > < / p >
< h2 id = "AUTHORS" > AUTHORS< / h2 >
2021-06-14 11:20:51 +00:00
< p > Filippo Valsorda < a href = "mailto:age@filippo.io" data-bare-link = "true" > age@filippo.io< / a > < / p >
2021-05-25 18:35:00 +00:00
< ol class = 'man-decor man-foot man foot' >
< li class = 'tl' > < / li >
2024-06-16 10:03:57 +00:00
< li class = 'tc' > June 2024< / li >
2021-05-25 18:35:00 +00:00
< li class = 'tr' > age(1)< / li >
< / ol >
< / div >
< / body >
< / html >