Age: Simple, Composable File Encryption

File encryption shouldn't be a headache. If you've ever wrestled with GPG's sprawling options, complex key management, or cryptic error messages, you know the feeling. Most of the time, you just want to encrypt a file for a specific person or for yourself, without the ceremony.

That's where age comes in. It's a modern, simple tool for file encryption that does one thing well and plays nicely with the UNIX philosophy.

What It Does

age (pronounced like the Japanese 揚げ, or "ah-geh") is a command-line tool for encrypting and decrypting files. It uses small, easy-to-share keys—like SSH keys—instead of the complex certificates and trust webs of older systems. You can encrypt a file to one or more public keys, or even generate a simple passphrase-protected file.

At its core, it's just age -r publickey -o secret.txt.enc secret.txt to encrypt and age -d -i privatekey -o secret.txt secret.txt.enc to decrypt. No keyrings, no trust databases, no configuration.

Why It's Cool

The beauty of age is in its constraints and its composability.

First, the keys are simple. A recipient's public key is a single line of text, like an SSH public key. You can paste it into a chat, an email, or a repository README. There are no certificates to manage or revoke.

Second, it's built for the UNIX pipeline. Because it reads from stdin and writes to stdout by default, it slots perfectly into shell workflows. Want to encrypt a tarball on the fly? tar cz ./data | age -r publickey > backup.tar.gz.age. Need to decrypt and process a file? age -d -i key file.enc | jq . It feels natural and predictable.

Third, it has a great threat model. It's designed by Filippo Valsorda (of crypto/rand and Go fame) with a clear focus on modern cryptography and avoiding the pitfalls of legacy tools. It uses well-audited primitives like X25519, ChaCha20-Poly1305, and scrypt.

Finally, there's age's plugin system for native integrations. Need to encrypt to a cloud KMS, a hardware key, or a custom secret manager? There's probably a plugin for that, and they work without modifying the core tool.

How to Try It

The easiest way is to grab a binary from the latest GitHub release. It's a single static binary with no dependencies.

On macOS, you can use Homebrew:

brew install age

Generate a keypair:

age-keygen -o key.txt

Encrypt a file to that public key (the one printed after generation):

age -r "public-key-here" -o secret.encrypted secret.txt

Decrypt it:

age -d -i key.txt -o secret.txt secret.encrypted

You can also do quick passphrase encryption without any keys:

age -p -o secret.encrypted secret.txt

Final Thoughts

age has become my go-to for ad-hoc encryption. It's the tool I reach for when I need to send a config file to a teammate, back up something sensitive to cloud storage, or even just keep a local password file encrypted at rest. It removes the friction that often leads to skipping encryption altogether.

It won't replace GPG for everything—especially not for signing or public-key distribution at scale—but for the 90% of file encryption tasks most developers actually have, it's a perfect fit. Give it a shot next time you need to encrypt something. You might just forget you're even using an encryption tool.

@githubprojects