Age: lighweight file encryption tool
Welcome in 2020, I’m glad that you’ve made it. Today I’m not gonna talk about Public Clouds or Kubernetes. This is my last day off so I’d like to talk about some easier topics. And the topic is: encryption.
I’m not talking about this so often but I’m a really big fan on cryptography in general. At these times, it’s the only way how to gain some level of freedom in electronic communication. Hence I’m encrypting everything I can. Unfortunately, it’s limited only to my personal stuff as encryption or decryption can be hard. Moreover, the majority of people really do not feel any need for this.
Anyways, this post is not about my conspiracy theories against big internet companies. Let’s switch to the topic. Now I’m using GPG as this is the current standard with the widest adoption. I’m using it with my personal password manager Gopass, I’m using it encrypt my confidential stuff. It’s a bit silly as I’m using just a fraction of GPG functions so I was constantly looking for some lighter alternative for my personal use.
Age comes to the scene
Well, it seems that my prayers have been heard, On 12/28/2019 Filippo Valsorda from Google Go team released the first version of the lightweight file encryption tool Age.
Let’s name a few features of this brand new tool:
- easy UNIX piping
- zero configuration
- no keyrings (this is something I really love!)
- extremly short public keys e.g.
- extremely easy to use
- support of YubiKey in the roadmap
Let’s check some sample scenario!
Generate a new pair of keys
When you are installing Age, you can see two binaries:
age-keygen. The second binary
is responsible for the generation of encryption keys.
As we’ll be doing asymmetric encryption, keygen will generate two keys: private and public.
When you check help topics for the
age-keygen, you see there’s really nowhere to go.
$ age-keygen -h Usage of age-keygen: -o FILE output to FILE (default stdout)
Well, it seems that we just need to write down
age-keygen and hit enter, right? Here we go.
$ age-keygen # created: 2020-01-01T10:56:49+01:00 # public key: age10qqc8rudgmzc2a6fxdprnpj8frurehmghzua5497yx7els5l3y4q3tadez AGE-SECRET-KEY-1SU36J4HWFQC3UTUG6UWSLM04J5XRM8YLXVALTRPQU840L9AVSZ0QWJ68W8
And that’s it, we can start experimenting!
Create encrypted file from piped text
Let’s say that we want to encrypt simple message with the given public key. This is how we can do it:
$ echo "hello" | age --recipient age10qqc8rudgmzc2a6fxdprnpj8frurehmghzua5497yx7els5l3y4q3tadez -a -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMnFiNDVsNjBkbS9XV3hn QUpVblpkSzJCcnozMm1ITDBFV0dQaUttb1VjClJjQ290aVpUVGxqS3hObE5xTk1h MEZpbCtwKzdBQnMyeUJENWhSckRmcWMKLS0tIGV6SkVTYllaSWNMOXFnWmlybVd4 NEUvTkV0dllLZWIwQ2VaM0d1K3MyaDAKFDvQboDut7zO3VD6VPTDRj3anLmDVbhi Ac/Qc3o3yThfxqQV2UU= -----END AGE ENCRYPTED FILE-----
Please note the flag
-a, by default Age uses binary output and it’s
something we really don’t want to print to the console. Hence I’m using
flag which creates encrypted data in PEM-encoded format.
$ echo "hello" | age --recipient age10qqc8rudgmzc2a6fxdprnpj8frurehmghzua5497yx7els5l3y4q3tadez -a > /tmp/message.age.pem
Decrpyt PEM-encoded message
And now let’s do the reverse action. For this operation we need to create identity file.
It’s really easy, just create arbitrary file with the output from
age-keygen. In my example,
I’ll be using
When we have identity file, we can just decrypt the message:
$ cat /tmp/message.age.pem | age -d -i ~/.age/main.txt hello
I really hope that you did not expect a longer article. This tool is so simple that a longer article would ultimately mean huge disrespect to this awesome tool.
Do anything, pipe it to Age. That’s it.
As you can see, it perfectly matches the things I’ve written at the very beginning. Now we just need to wait for the production release, YubiKey support, and implementation in some tools. Personally I’d love to use it in some password manager. Who knows … maybe I’m going to write some easy password manager.