Stepan's technical notes

Notes about my journey to the Cloud

01 Jan 2020

Age: lighweight file encryption tool

Welcome in 2020, I’m glad that you’ve made it. Today I’m not gonna talk about Public Clouds or Kubernetes. This is my last day off so I’d like to talk about some easier topics. And the topic is: encryption.

I’m not talking about this so often but I’m a really big fan on cryptography in general. At these times, it’s the only way how to gain some level of freedom in electronic communication. Hence I’m encrypting everything I can. Unfortunately, it’s limited only to my personal stuff as encryption or decryption can be hard. Moreover, the majority of people really do not feel any need for this.

Anyways, this post is not about my conspiracy theories against big internet companies. Let’s switch to the topic. Now I’m using GPG as this is the current standard with the widest adoption. I’m using it with my personal password manager Gopass, I’m using it encrypt my confidential stuff. It’s a bit silly as I’m using just a fraction of GPG functions so I was constantly looking for some lighter alternative for my personal use.

Age comes to the scene

Well, it seems that my prayers have been heard, On 12/28/2019 Filippo Valsorda from Google Go team released the first version of the lightweight file encryption tool Age.

Let’s name a few features of this brand new tool:

  • easy UNIX piping
  • zero configuration
  • no keyrings (this is something I really love!)
  • extremly short public keys e.g. age1nf28wkx6uardjl6s5t42498pht4zr9krmrjc7n2mmellf6uqp3eq7ngshe
  • extremely easy to use
  • support of YubiKey in the roadmap

Let’s check some sample scenario!

Generate a new pair of keys

When you are installing Age, you can see two binaries: age and age-keygen. The second binary is responsible for the generation of encryption keys. As we’ll be doing asymmetric encryption, keygen will generate two keys: private and public.

When you check help topics for the age-keygen, you see there’s really nowhere to go.

$ age-keygen -h                
Usage of age-keygen:
  -o FILE
    	output to FILE (default stdout)

Well, it seems that we just need to write down age-keygen and hit enter, right? Here we go.

$ age-keygen   
# created: 2020-01-01T10:56:49+01:00
# public key: age10qqc8rudgmzc2a6fxdprnpj8frurehmghzua5497yx7els5l3y4q3tadez
AGE-SECRET-KEY-1SU36J4HWFQC3UTUG6UWSLM04J5XRM8YLXVALTRPQU840L9AVSZ0QWJ68W8

And that’s it, we can start experimenting!

Create encrypted file from piped text

Let’s say that we want to encrypt simple message with the given public key. This is how we can do it:

$ echo "hello" | age --recipient age10qqc8rudgmzc2a6fxdprnpj8frurehmghzua5497yx7els5l3y4q3tadez -a      
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMnFiNDVsNjBkbS9XV3hn
QUpVblpkSzJCcnozMm1ITDBFV0dQaUttb1VjClJjQ290aVpUVGxqS3hObE5xTk1h
MEZpbCtwKzdBQnMyeUJENWhSckRmcWMKLS0tIGV6SkVTYllaSWNMOXFnWmlybVd4
NEUvTkV0dllLZWIwQ2VaM0d1K3MyaDAKFDvQboDut7zO3VD6VPTDRj3anLmDVbhi
Ac/Qc3o3yThfxqQV2UU=
-----END AGE ENCRYPTED FILE-----

Please note the flag -a, by default Age uses binary output and it’s something we really don’t want to print to the console. Hence I’m using --armor flag which creates encrypted data in PEM-encoded format.

$ echo "hello" | age --recipient age10qqc8rudgmzc2a6fxdprnpj8frurehmghzua5497yx7els5l3y4q3tadez -a > /tmp/message.age.pem

Decrpyt PEM-encoded message

And now let’s do the reverse action. For this operation we need to create identity file. It’s really easy, just create arbitrary file with the output from age-keygen. In my example, I’ll be using ~/.age/main.txt.

When we have identity file, we can just decrypt the message:

$ cat /tmp/message.age.pem | age -d -i ~/.age/main.txt 
hello

Wrap

I really hope that you did not expect a longer article. This tool is so simple that a longer article would ultimately mean huge disrespect to this awesome tool.

Do anything, pipe it to Age. That’s it.

As you can see, it perfectly matches the things I’ve written at the very beginning. Now we just need to wait for the production release, YubiKey support, and implementation in some tools. Personally I’d love to use it in some password manager. Who knows … maybe I’m going to write some easy password manager.

comments powered by Disqus