age(1)
Encrypt and decrypt files or streams using the age encryption format with simple, modern cryptography.
Synopsis
age [--encrypt] [--decrypt] [--armor] [-o OUTPUT] [-i IDENTITY]... [FILE]...Description
age is a simple, modern file encryption tool using X25519 and ChaCha20-Poly1305. It encrypts data to age public keys (recipients) and decrypts with private keys (identities). Unlike PGP, age has no key management complexity—just passphrases or key files.
By default, age encrypts; use --decrypt to decrypt. Without input files, it reads from stdin. Output goes to stdout unless -o specifies a file. Encrypted files use the .age extension by convention.
Common options
| Flag | What it does |
|---|---|
-e, --encrypt | Encrypt (default mode); encrypts to specified recipients |
-d, --decrypt | Decrypt; requires identity files or a passphrase prompt |
-p, --passphrase | Encrypt with a passphrase instead of recipient keys; prompts for input |
-r, --recipient RECIPIENT | Encrypt to a public key recipient (can be used multiple times) |
-i, --identity FILE | Use an identity file for decryption (can be used multiple times) |
-o, --output FILE | Write encrypted or decrypted output to FILE instead of stdout |
-a, --armor | Output ASCII-armored format (base64-encoded) instead of binary |
--generate-key | Generate and print a new age key pair (public and private key) |
Examples
Generate a new key pair and save it to key.txt for later use
age --generate-key > key.txtEncrypt document.txt to a recipient's public key, output to document.txt.age
age -r age1ql3z7hjrsx2tnvt0h8dv8malvheymzzr78nwujazxn6jpj32p0wqypp5wf document.txt -o document.txt.ageEncrypt with a passphrase prompt; stores encrypted output in secret.txt.age
age -p sensitive.txt -o secret.txt.ageDecrypt secret.txt.age using identity from key.txt, write decrypted content to secret.txt
age -d -i key.txt secret.txt.age -o secret.txtEncrypt stdin with a passphrase and output in armored ASCII format, save and display
cat file.txt | age -p -a | tee file.txt.age.ascDecrypt and extract a tar archive in one pipeline using an identity file
age -d -i ~/.age/key.txt < backup.tar.age | tar xf -Encrypt a file to multiple recipients; each can decrypt independently
age -r recipient1_key -r recipient2_key file.txt -o file.txt.age