-
@ ▄︻デʟɨɮʀɛȶɛֆƈɦ-ֆʏֆȶɛʍֆ══━一,
2025-02-24 01:22:32
## **age** - Simple, modern, and secure file encryption.
## SYNOPSIS
```bash
age [--encrypt] (-r RECIPIENT | -R PATH)... [--armor] [-o OUTPUT] [INPUT]
age [--encrypt] --passphrase [--armor] [-o OUTPUT] [INPUT]
age --decrypt [-i PATH | -j PLUGIN]... [-o OUTPUT] [INPUT]
```
The **age** tool provides a robust solution for encrypting and decrypting files. It simplifies the encryption process while ensuring strong security through modern cryptographic standards. **age** primarily focuses on:
- Encrypting data to specific recipients or using passphrases.
- Decrypting data based on available private keys or passphrases.
- Supports both binary and ASCII armored (Base64-encoded) outputs.
- A compact, secure design suitable for integration into diverse environments.
- **RECIPIENTS**: Public keys or identities to which a file is encrypted. Each recipient can decrypt the file with their corresponding private key.
- **IDENTITIES**: Private keys that allow decryption of files encrypted to corresponding recipients.
- **Passphrase**: A user-defined secret key used to encrypt or decrypt data interactively, typically used when specific recipient identities are not available.
### Encryption Process:
Files are encrypted using public keys or passphrases. The `-r` option encrypts the file to specific recipients, whereas the `--passphrase` option allows encryption using a passphrase. In the absence of these options, **age** will prompt the user for the necessary inputs interactively.
### Decryption Process:
Decryption is automatically handled by **age** based on the format of the encrypted file. If the file is encrypted with a passphrase, **age** will request the passphrase interactively. Alternatively, it will use the private key specified by the `-i` option to decrypt the file.
### Binary and ASCII Output:
The default output for **age** is binary, which is suitable for storage and transmission. However, when using the `--armor` option, the encrypted file is encoded into a text format that is easy to handle in text-based systems.
---
## OPTIONS
### General Options:
- `-o, --output=OUTPUT`: Directs the encrypted or decrypted content to the specified OUTPUT file. If OUTPUT already exists, it is overwritten. In the case of encryption without `--armor`, the tool refuses to output binary to a TTY.
- `--version`: Displays the **age** version and exits.
### Encryption Options:
- `-e, --encrypt`: Default mode for encrypting files. Specifies that the input file should be encrypted.
- `-r, --recipient=RECIPIENT`: Encrypts to the recipient's public key, which can be a native X25519 key or an SSH key. This option may be repeated to encrypt for multiple recipients.
- `-R, --recipients-file=PATH`: Encrypts for recipients listed in a file, each recipient specified on a new line. Lines starting with `#` are treated as comments. If `PATH` is `-`, recipients are read from standard input.
- `-p, --passphrase`: Encrypts the file with a passphrase. The passphrase is requested interactively, and **age** offers an option to auto-generate a secure passphrase. This mode cannot be combined with other recipient options.
- `--armor`: Encrypts the output to an ASCII "armored" encoding (strict Base64). This makes it more suitable for text environments.
- `-i, --identity=PATH`: Specifies the path to the private key(s) that correspond to the recipients. Used to generate a file compatible with recipient encryption, allowing seamless encryption to private keys.
- `-j PLUGIN`: Specifies the use of a plugin for encryption, typically used for non-standard encryption schemes.
### Decryption Options:
- `-d, --decrypt`: Decrypts the specified INPUT file. If the file is passphrase-encrypted, the passphrase is automatically detected and requested interactively.
- `-i, --identity=PATH`: Specifies the private key file used for decryption. This can be a native age private key, an SSH private key, or a passphrase-protected identity file. The file path can also be `-` to read from standard input.
- `-j PLUGIN`: Decrypts using a plugin, similar to how the plugin is used in encryption. The plugin should contain no data-specific encryption information.
### Plugins:
**age** supports the use of plugins to extend its encryption and decryption functionality. A plugin is used when encryption or decryption requires a non-standard method. The plugin executes specific cryptographic operations as defined by the plugin.
---
## VARIOUS EXAMPLES
### 1. Encrypt a file to a recipient using a native X25519 key:
```bash
age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p file.txt > file.txt.age
```
### 2. Encrypt a file to multiple recipients:
```bash
age -o file.txt.age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
-r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg file.txt
```
### 3. Encrypt to recipients listed in a file:
```bash
cat > recipients.txt
# Alice
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# Bob
age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
age -R recipients.txt file.txt > file.txt.age
```
### 4. Encrypt and decrypt a file with a passphrase:
```bash
# Encrypt with a passphrase
age -p secrets.txt > secrets.txt.age
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "release-response-step-brand-wrap-ankle-pair-unusual-sword-train".
# Decrypt with the same passphrase
age -d secrets.txt.age > secrets.txt
Enter passphrase:
```
### 5. Encrypt and decrypt with a passphrase-protected identity file:
```bash
# Generate a passphrase-protected identity file
age-keygen | age -p > key.age
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "hip-roast-boring-snake-mention-east-wasp-honey-input-actress".
# Encrypt using the identity
age -r age1yhm4gctwfmrpz87tdslm550wrx6m79y9f2hdzt0lndjnehwj0ukqrjpyx5 secrets.txt > secrets.txt.age
# Decrypt using the identity file
age -d -i key.age secrets.txt.age > secrets.txt
Enter passphrase for identity file "key.age":
```
---
## EXIT STATUS
- `0`: Encryption or decryption was successful.
- `1`: An error occurred during the operation.
---
## BACKWARDS COMPATIBILITY
Files encrypted with a stable version of **age** will be compatible with any later version of the tool. When decrypting older files, **age** might provide a flag to force the operation if the operation poses a security risk.
---
The **age** tool is designed with security and simplicity in mind. It uses strong encryption methods to ensure that your files are protected against unauthorized access, with flexibility in how encryption keys are managed and applied.
[Age Github Repo](https://github.com/FiloSottile/age?tab=readme-ov-file)