age is a simple, secure and modern encryption tool with small explicit keys, no config options, and UNIX-style composability. The format specification is at age-encryption.org/v1.
rage is a Rust implementation of the age tool. It is pronounced like the Japanese らげ (with a hard g).
To discuss the spec or other age related topics, please email the mailing list at age-dev@googlegroups.com. age was designed by @Benjojo12 and @FiloSottile.
The reference interoperable Golang implementation is available at filippo.io/age.
``` Usage: rage [OPTIONS] [INPUT]
Positional arguments: INPUT file to read input from (default stdin)
Optional arguments: -h, --help print help message -d, --decrypt decrypt the input (default is to encrypt) -p, --passphrase use a passphrase instead of public keys --max-work-factor WF maximum work factor to allow for passphrase decryption -a, --armor create ASCII armored output (default is age binary format) -r, --recipient RECIPIENT recipient to encrypt to (may be repeated) -i, --identity IDENTITY identity to decrypt with (may be repeated) -o, --output OUTPUT output to OUTPUT (default stdout) ```
Files can be encrypted to multiple recipients by repeating -r/--recipient.
Every recipient will be able to decrypt the file.
bash
$ rage -o example.png.age -r age1uvscypafkkxt6u2gkguxet62cenfmnpc0smzzlyun0lzszfatawq4kvf2u \
-r age1ex4ty8ppg02555at009uwu5vlk5686k3f23e7mac9z093uvzfp8sxr5jum example.png
Files can be encrypted with a passphrase by using -p/--passphrase. By default
rage will automatically generate a secure passphrase.
bash
$ rage -p -o example.png.age example.png
Type passphrase (leave empty to autogenerate a secure one): [hidden]
Using an autogenerated passphrase:
kiwi-general-undo-bubble-dwarf-dizzy-fame-side-sunset-sibling
$ rage -d -p example.png.age >example.png
Type passphrase: [hidden]
As a convenience feature, rage also supports encrypting to ssh-rsa and
ssh-ed25519 SSH public keys, and decrypting with the respective private key
file. (ssh-agent is not supported.)
$ cat ~/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZDRcvS8PnhXr30WKSKmf7WKKi92ACUa5nW589WukJz str4d@internet.arpa
$ rage -r "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZDRcvS8PnhXr30WKSKmf7WKKi92ACUa5nW589WukJz" example.png > example.png.age
$ rage -d -i ~/.ssh/id_ed25519 example.png.age > example.png
ssh-rsa support is currently behind the unstable feature flag.
Note that SSH key support employs more complex cryptography, and embeds a public key tag in the encrypted file, making it possible to track files that are encrypted to a specific public key.
On Windows, Linux, and macOS, you can use the pre-built binaries.
The rage suite of tools are provided in the age Rust crate. If your system
has Rust 1.37+ installed (either via rustup or a system package), you can
build directly from source:
cargo install age
You can also use the age crate directly as a library, by adding this line to
your Cargo.toml (which disables the CLI tools):
age = { version = "0.2", default-features = false }
Help from new packagers is very welcome.
cli enables the rage and rage-keygen tools, and is enabled by default.
mount enables the rage-mount tool, which can mount age-encrypted TAR or
ZIP archives as read-only. It is currently only usable on Unix systems, as it
relies on libfuse.
unstable enables in-development functionality. Anything behind this feature
flag has no stability or interoperability guarantees.
Licensed under either of
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.