What is age encryption?

Age (pronounced 'ah-geh', from Actually Good Encryption) is a simple, modern file encryption tool created by Filippo Valsorda. It uses X25519 key exchange and ChaCha20-Poly1305 encryption and is designed as a simpler, more secure replacement for GPG.

Why use age instead of GPG?

Age has a dramatically simpler interface (no key servers, no trust model, no configuration), uses modern cryptographic primitives by default, has small keys that fit in a URL, and has no legacy compatibility burden. GPG's complexity leads to frequent misuse and security mistakes.

Can age encrypt with a password instead of keys?

Yes, age supports passphrase-based encryption with age --passphrase --encrypt. It uses scrypt for key derivation. However, key-based encryption (age -r recipient) is recommended for automated workflows and better security.

How does age work with SOPS for secret management?

SOPS (Secrets OPerationS) by Mozilla can use age keys to encrypt specific values in YAML, JSON, and .env files while leaving keys in plaintext. This allows you to commit encrypted secrets to Git while still being readable by CI/CD pipelines with the age key.

Age Encryption: Modern File Encryption Replacing GPG

TL;DR — Quick Summary

Age is a simple, modern file encryption tool designed to replace GPG. Learn age encryption, key management, SOPS integration, and automated secret workflows.

Age (Actually Good Encryption) is a modern file encryption tool that does one thing well: encrypt and decrypt files. Created by Filippo Valsorda (a Go team security lead), it deliberately avoids the complexity of GPG while providing stronger defaults. This guide covers age from basic usage through integration with SOPS for DevOps secret management.

Prerequisites

Linux, macOS, or Windows
Terminal access
Basic understanding of public-key cryptography concepts

Installation

# Debian/Ubuntu
sudo apt install age

# Fedora
sudo dnf install age

# macOS
brew install age

# From source (requires Go 1.21+)
go install filippo.io/age/cmd/...@latest

# Verify
age --version

Key Management

Generate Keys

# Generate a key pair
age-keygen -o ~/.config/age/key.txt

# Output:
# Public key: age1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# created: 2026-03-23T20:00:00Z
# AGE-SECRET-KEY-1XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

# Set secure permissions
chmod 600 ~/.config/age/key.txt

The public key (age1...) is safe to share. The secret key (AGE-SECRET-KEY-...) must be protected.

SSH Key Compatibility

Age can use existing SSH keys for encryption:

# Encrypt using someone's SSH public key
age -R ~/.ssh/id_ed25519.pub -o secret.age secret.txt

# Decrypt with the corresponding SSH private key
age -d -i ~/.ssh/id_ed25519 -o secret.txt secret.age

Basic Usage

# Encrypt to a recipient
age -r age1recipient... -o document.age document.pdf

# Encrypt to multiple recipients
age -r age1alice... -r age1bob... -o shared.age shared.txt

# Encrypt with passphrase (interactive)
age --passphrase --encrypt -o backup.age backup.tar.gz

# Decrypt with key
age -d -i key.txt -o document.pdf document.age

# Decrypt with passphrase
age -d -o backup.tar.gz backup.age

# Pipe-friendly
tar czf - /important/data | age -r age1... > backup.tar.gz.age
cat backup.tar.gz.age | age -d -i key.txt | tar xzf -

SOPS Integration for DevOps

SOPS encrypts specific values in configuration files while keeping keys readable:

# Install SOPS
curl -LO https://github.com/getsops/sops/releases/latest/download/sops-linux-amd64
sudo install sops-linux-amd64 /usr/local/bin/sops

Create .sops.yaml in your project root:

creation_rules:
  - path_regex: \.enc\.yaml$
    age: age1xxxxxx  # Your public key
  - path_regex: \.enc\.json$
    age: age1xxxxxx

Usage:

# Set the key location
export SOPS_AGE_KEY_FILE=~/.config/age/key.txt

# Create/edit an encrypted file
sops secrets.enc.yaml

# View decrypted content
sops -d secrets.enc.yaml

# Encrypt an existing file
sops -e -i secrets.yaml

The result looks like:

database:
    host: ENC[AES256_GCM,data:xxxxx,tag:xxxxx,type:str]
    port: ENC[AES256_GCM,data:xxxxx,tag:xxxxx,type:str]
    password: ENC[AES256_GCM,data:xxxxx,tag:xxxxx,type:str]
sops:
    age:
        - recipient: age1xxxxxx
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----

Keys are visible, values are encrypted — perfect for Git.

Comparison

Feature	age	GPG	OpenSSL	Vault
Simplicity	Excellent	Poor	Medium	Medium
Key size	62 chars	1000+ chars	Varies	N/A
Algorithm choice	No (good defaults)	Too many	Too many	Configurable
SSH key compat	Yes	No	No	No
SOPS integration	Yes	Yes	No	Yes
Key servers	None	Complex	None	Built-in

Real-World Scenario

Your team stores deployment secrets in Git (database credentials, API keys, TLS certificates). With SOPS + age, each developer has an age key pair. The .sops.yaml lists all team members’ public keys. Anyone can encrypt secrets, and any team member can decrypt them. Adding a team member means adding their public key and re-encrypting. No key servers, no web of trust, no GPG complexity.

Gotchas

No key revocation: Age has no revocation mechanism. If a key is compromised, re-encrypt all files with a new key and remove the old recipient
No signing: Age is encryption-only. Use SSH signatures or signify for file signing
Binary output: Age outputs binary by default. Use --armor for ASCII-safe output suitable for email or paste
SOPS version: Ensure SOPS 3.8+ for native age support without plugins

Summary

Age provides modern file encryption with X25519 + ChaCha20-Poly1305 in a simple interface
Keys are short (62 characters) and fit in a URL, unlike GPG’s unwieldy key format
SSH key compatibility means you can encrypt to existing SSH public keys
SOPS integration allows encrypted secrets in Git with readable keys and encrypted values
No key servers, no trust model, no algorithm choices — secure defaults only
Use age --passphrase for quick symmetric encryption, -r recipient for public-key encryption