Convert Figma logo to code with AI

FiloSottile logoage

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

18,759
547
18,759
40
View on GitHub

Top Related Projects

jedisct1's avatar

minisign

2,348

A dead simple tool to sign files and verify digital signatures.

keybase's avatar

saltpack

1,000

a modern crypto messaging format

awnumar's avatar

memguard

2,597

Secure software enclave for storage of sensitive information in memory.

str4d's avatar

rage

2,862

A simple, secure and modern file encryption tool (and Rust library) with small explicit keys, no config options, and UNIX-style composability.

getsops's avatar

sops

18,348

Simple and flexible tool for managing secrets

Quick Overview

FiloSottile/age is a simple, modern, and secure file encryption tool and Go library. It provides a command-line interface and a Go API for encrypting and decrypting files using state-of-the-art cryptography. Age is designed to be a replacement for tools like GPG, focusing on simplicity and ease of use.

Pros

  • Simple and user-friendly design
  • Strong, modern cryptography (X25519, ChaCha20-Poly1305)
  • Cross-platform support (Linux, macOS, Windows)
  • Supports multiple recipients and file-based encryption

Cons

  • Relatively new project, may lack some advanced features of more established tools
  • Limited integration with existing ecosystems compared to GPG
  • No built-in key management system
  • May require additional setup for non-technical users

Code Examples

  1. Encrypting a file:
package main

import (
    "os"
    "filippo.io/age"
)

func main() {
    publicKey := "age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"
    recipient, _ := age.ParseX25519Recipient(publicKey)
    
    w, _ := os.Create("encrypted.age")
    encryptor, _ := age.Encrypt(w, recipient)
    
    _, _ = encryptor.Write([]byte("secret message"))
    _ = encryptor.Close()
}
  1. Decrypting a file:
package main

import (
    "io"
    "os"
    "filippo.io/age"
)

func main() {
    identity, _ := age.GenerateX25519Identity()
    
    f, _ := os.Open("encrypted.age")
    decryptor, _ := age.Decrypt(f, identity)
    
    decrypted, _ := io.ReadAll(decryptor)
    println(string(decrypted))
}
  1. Generating a new key pair:
package main

import (
    "fmt"
    "filippo.io/age"
)

func main() {
    identity, _ := age.GenerateX25519Identity()
    recipient := identity.Recipient()
    
    fmt.Println("Private key:", identity)
    fmt.Println("Public key:", recipient)
}

Getting Started

To use age in your Go project, first install it:

go get filippo.io/age

Then, import it in your Go code:

import "filippo.io/age"

You can now use the age package to encrypt and decrypt files, generate keys, and perform other cryptographic operations as shown in the code examples above.

Competitor Comparisons

jedisct1 logo

minisign

2,348

A dead simple tool to sign files and verify digital signatures.

Pros of minisign

  • Simpler and more focused on file signing rather than encryption
  • Smaller codebase, potentially easier to audit
  • Designed for compatibility with OpenBSD signify

Cons of minisign

  • Limited to signing and verification, lacks encryption capabilities
  • Less actively maintained compared to age
  • Fewer features and less flexibility in key management

Code Comparison

minisign:

#define SIGALG "Ed"
#define KDFALG "Sc"
#define CHKALG "B2"
#define COMMENT_PREFIX "untrusted comment: "
#define TRUSTED_COMMENT_PREFIX "trusted comment: "

age:

const (
    // V1 is the current version of the age format.
    V1 = 1

    // StanzaPrefix is the prefix used by all stanzas in the age format.
    StanzaPrefix = "-> "
)

The code snippets show that minisign uses C and defines constants for signature algorithms and comment prefixes, while age uses Go and defines constants for version and stanza prefixes. This reflects their different focuses: minisign on signing, and age on encryption.

Both projects aim to provide secure cryptographic operations, but age offers a more comprehensive solution for file encryption and secure communication, while minisign specializes in creating and verifying digital signatures for files.

keybase logo

saltpack

1,000

a modern crypto messaging format

Pros of saltpack

  • More mature project with longer development history
  • Supports both encryption and signing
  • Designed for human-readable output, making it easier to share encrypted messages

Cons of saltpack

  • More complex implementation compared to age
  • Larger message overhead due to additional features
  • Less focused on simplicity and ease of use

Code comparison

saltpack encryption example:

import saltpack

message = b"Hello, world!"
recipients = [public_key1, public_key2]
encrypted = saltpack.encrypt(message, recipients)

age encryption example:

package main

import "filippo.io/age"

func encrypt(message []byte, recipient string) ([]byte, error) {
    r, _ := age.ParseX25519Recipient(recipient)
    return age.Encrypt(nil, []age.Recipient{r}, message)
}

Both projects aim to provide secure encryption, but age focuses on simplicity and ease of use, while saltpack offers more features at the cost of complexity. age is designed to be a modern replacement for PGP, emphasizing minimal dependencies and a straightforward API. saltpack, on the other hand, provides a more comprehensive suite of cryptographic tools, including signing and armor formatting, making it suitable for a wider range of applications but potentially more challenging to implement and use.

awnumar logo

memguard

2,597

Secure software enclave for storage of sensitive information in memory.

Pros of memguard

  • Focuses specifically on secure memory management and protection
  • Provides low-level memory security features like anti-debugging and anti-tampering
  • Offers a comprehensive set of tools for handling sensitive data in memory

Cons of memguard

  • More complex to use and integrate compared to age's simple encryption approach
  • Limited to memory protection, while age provides file encryption capabilities
  • Requires more careful implementation to ensure proper security measures

Code comparison

memguard:

// Create a new LockedBuffer
enclave, err := memguard.NewEnclave(32)
if err != nil {
    log.Fatal(err)
}
defer enclave.Destroy()

age:

// Encrypt a file
f, err := age.Encrypt(w, recipients...)
if err != nil {
    log.Fatal(err)
}
defer f.Close()

Summary

While memguard focuses on secure memory management with advanced protection features, age provides simple and efficient file encryption. memguard offers more granular control over sensitive data in memory but requires more careful implementation. age, on the other hand, is easier to use for general encryption tasks but lacks the specialized memory protection features of memguard.

str4d logo

rage

2,862

A simple, secure and modern file encryption tool (and Rust library) with small explicit keys, no config options, and UNIX-style composability.

Pros of rage

  • Written in Rust, offering memory safety and performance benefits
  • Provides a native Rust API for integration into other Rust projects
  • Includes additional features like password-based encryption and armor format

Cons of rage

  • Smaller community and ecosystem compared to age
  • Less widespread adoption and fewer third-party tools
  • May have a steeper learning curve for developers not familiar with Rust

Code Comparison

age (Go):

recipient, err := age.ParseX25519Recipient(publicKey)
if err != nil {
    log.Fatal(err)
}
encryptor, err := age.Encrypt(output, recipient)

rage (Rust):

let recipient = age::x25519::Recipient::from_str(public_key)?;
let encryptor = age::Encryptor::with_recipients(vec![Box::new(recipient)])
    .wrap_output(&mut output)?;

Both projects implement the age encryption format, but rage offers a Rust-native implementation with some additional features. age, being more established, has wider adoption and a larger ecosystem. The choice between the two may depend on the preferred programming language, specific feature requirements, and the importance of community support.

getsops logo

sops

18,348

Simple and flexible tool for managing secrets

Pros of sops

  • Supports multiple encryption methods (PGP, AWS KMS, GCP KMS, Azure Key Vault)
  • Allows partial encryption of files, keeping structure intact
  • Integrates well with version control systems

Cons of sops

  • More complex setup and configuration
  • Slower for large files due to JSON/YAML parsing
  • Requires external key management services for some features

Code Comparison

sops:

myapp:
    database:
        host: ENC[AES256_GCM,data:...],
        password: ENC[AES256_GCM,data:...]

age:

age-encryption.org/v1
-> X25519 yNTrJ...
... (encrypted content)

Key Differences

  • sops focuses on encrypting specific fields within structured data files
  • age is designed for simple, whole-file encryption
  • sops offers more flexibility in key management and integration with cloud services
  • age provides a simpler, more straightforward approach to file encryption

Both tools have their strengths, with sops being more suitable for complex configurations and cloud integrations, while age excels in simplicity and ease of use for general-purpose file encryption.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

The age logo, a wireframe of St. Peters dome in Rome, with the text: age, file encryption

Go Reference man page C2SP specification

age is a simple, modern and secure file encryption tool, format, and Go library.

It features small explicit keys, no config options, and UNIX-style composability.

$ age-keygen -o key.txt
Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
$ tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age
$ age --decrypt -i key.txt data.tar.gz.age > data.tar.gz

📜 The format specification is at age-encryption.org/v1. age was designed by @Benjojo12 and @FiloSottile.

🦀 An alternative interoperable Rust implementation is available at github.com/str4d/rage.

🌍 Typage is a TypeScript implementation. It works in the browser, in Node.js, and in Bun.

🔑 Hardware PIV tokens such as YubiKeys are supported through the age-plugin-yubikey plugin.

✨ For more plugins, implementations, tools, and integrations, check out the awesome age list.

💬 The author pronounces it [aɡe̞] with a hard g, like GIF, and is always spelled lowercase.

Installation

Homebrew (macOS or Linux) brew install age
MacPorts port install age
Alpine Linux v3.15+ apk add age
Arch Linux pacman -S age
Debian 12+ (Bookworm) apt install age
Debian 11 (Bullseye) apt install age/bullseye-backports (enable backports for age v1.0.0+)
Fedora 33+ dnf install age
Gentoo Linux emerge app-crypt/age
NixOS / Nix nix-env -i age
openSUSE Tumbleweed zypper install age
Ubuntu 22.04+ apt install age
Void Linux xbps-install age
FreeBSD pkg install age (security/age)
OpenBSD 6.7+ pkg_add age (security/age)
Chocolatey (Windows) choco install age.portable
Scoop (Windows) scoop bucket add extras && scoop install age
pkgx pkgx install age

On Windows, Linux, macOS, and FreeBSD you can use the pre-built binaries.

https://dl.filippo.io/age/latest?for=linux/amd64
https://dl.filippo.io/age/v1.1.1?for=darwin/arm64
...

If your system has a supported version of Go, you can build from source.

go install filippo.io/age/cmd/...@latest

Help from new packagers is very welcome.

Verifying the release signatures

If you download the pre-built binaries, you can check their Sigsum proofs, which are like signatures with extra transparency: you can cryptographically verify that every proof is logged in a public append-only log, so you can hold the age project accountable for every binary release we ever produced. This is similar to what the Go Checksum Database provides.

cat << EOF > age-sigsum-key.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1WpnEswJLPzvXJDiswowy48U+G+G1kmgwUE2eaRHZG
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAz2WM5CyPLqiNjk7CLl4roDXwKhQ0QExXLebukZEZFS
EOF
cat << EOF > sigsum-trust-policy.txt
log 154f49976b59ff09a123675f58cb3e346e0455753c3c3b15d465dcb4f6512b0b https://poc.sigsum.org/jellyfish
witness poc.sigsum.org/nisse 1c25f8a44c635457e2e391d1efbca7d4c2951a0aef06225a881e46b98962ac6c
witness rgdd.se/poc-witness  28c92a5a3a054d317c86fc2eeb6a7ab2054d6217100d0be67ded5b74323c5806
group  demo-quorum-rule all poc.sigsum.org/nisse rgdd.se/poc-witness
quorum demo-quorum-rule
EOF

curl -JLO "https://dl.filippo.io/age/v1.2.0?for=darwin/arm64"
curl -JLO "https://dl.filippo.io/age/v1.2.0?for=darwin/arm64&proof"

go install sigsum.org/sigsum-go/cmd/sigsum-verify@v0.8.0
sigsum-verify -k age-sigsum-key.pub -p sigsum-trust-policy.txt \
    age-v1.2.0-darwin-arm64.tar.gz.proof < age-v1.2.0-darwin-arm64.tar.gz

You can learn more about what's happening above in the Sigsum docs.

Usage

For the full documentation, read the age(1) man page.

Usage:
    age [--encrypt] (-r RECIPIENT | -R PATH)... [--armor] [-o OUTPUT] [INPUT]
    age [--encrypt] --passphrase [--armor] [-o OUTPUT] [INPUT]
    age --decrypt [-i PATH]... [-o OUTPUT] [INPUT]

Options:
    -e, --encrypt               Encrypt the input to the output. Default if omitted.
    -d, --decrypt               Decrypt the input to the output.
    -o, --output OUTPUT         Write the result to the file at path OUTPUT.
    -a, --armor                 Encrypt to a PEM encoded format.
    -p, --passphrase            Encrypt with a passphrase.
    -r, --recipient RECIPIENT   Encrypt to the specified RECIPIENT. Can be repeated.
    -R, --recipients-file PATH  Encrypt to recipients listed at PATH. Can be repeated.
    -i, --identity PATH         Use the identity file at PATH. Can be repeated.

INPUT defaults to standard input, and OUTPUT defaults to standard output.
If OUTPUT exists, it will be overwritten.

RECIPIENT can be an age public key generated by age-keygen ("age1...")
or an SSH public key ("ssh-ed25519 AAAA...", "ssh-rsa AAAA...").

Recipient files contain one or more recipients, one per line. Empty lines
and lines starting with "#" are ignored as comments. "-" may be used to
read recipients from standard input.

Identity files contain one or more secret keys ("AGE-SECRET-KEY-1..."),
one per line, or an SSH key. Empty lines and lines starting with "#" are
ignored as comments. Passphrase encrypted age files can be used as
identity files. Multiple key files can be provided, and any unused ones
will be ignored. "-" may be used to read identities from standard input.

When --encrypt is specified explicitly, -i can also be used to encrypt to an
identity file symmetrically, instead or in addition to normal recipients.

Multiple recipients

Files can be encrypted to multiple recipients by repeating -r/--recipient. Every recipient will be able to decrypt the file.

$ age -o example.jpg.age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
    -r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg example.jpg

Recipient files

Multiple recipients can also be listed one per line in one or more files passed with the -R/--recipients-file flag.

$ cat recipients.txt
# Alice
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# Bob
age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
$ age -R recipients.txt example.jpg > example.jpg.age

If the argument to -R (or -i) is -, the file is read from standard input.

Passphrases

Files can be encrypted with a passphrase by using -p/--passphrase. By default age will automatically generate a secure passphrase. Passphrase protected files are automatically detected at decrypt time.

$ age -p secrets.txt > secrets.txt.age
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "release-response-step-brand-wrap-ankle-pair-unusual-sword-train".
$ age -d secrets.txt.age > secrets.txt
Enter passphrase:

Passphrase-protected key files

If an identity file passed to -i is a passphrase encrypted age file, it will be automatically decrypted.

$ age-keygen | age -p > key.age
Public key: age1yhm4gctwfmrpz87tdslm550wrx6m79y9f2hdzt0lndjnehwj0ukqrjpyx5
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "hip-roast-boring-snake-mention-east-wasp-honey-input-actress".
$ age -r age1yhm4gctwfmrpz87tdslm550wrx6m79y9f2hdzt0lndjnehwj0ukqrjpyx5 secrets.txt > secrets.txt.age
$ age -d -i key.age secrets.txt.age > secrets.txt
Enter passphrase for identity file "key.age":

Passphrase-protected identity files are not necessary for most use cases, where access to the encrypted identity file implies access to the whole system. However, they can be useful if the identity file is stored remotely.

SSH keys

As a convenience feature, age also supports encrypting to ssh-rsa and ssh-ed25519 SSH public keys, and decrypting with the respective private key file. (ssh-agent is not supported.)

$ age -R ~/.ssh/id_ed25519.pub example.jpg > example.jpg.age
$ age -d -i ~/.ssh/id_ed25519 example.jpg.age > example.jpg

Note that SSH key support employs more complex cryptography, and embeds a public key tag in the encrypted file, making it possible to track files that are encrypted to a specific public key.

Encrypting to a GitHub user

Combining SSH key support and -R, you can easily encrypt a file to the SSH keys listed on a GitHub profile.

$ curl https://github.com/benjojo.keys | age -R - example.jpg > example.jpg.age

Keep in mind that people might not protect SSH keys long-term, since they are revokable when used only for authentication, and that SSH keys held on YubiKeys can't be used to decrypt files.