Age : the modern alternative to GPG

What is Encryption ?

Privacy is necessity for everyone . Everyone must be able to keep their private data private from spying hands . This is where Encryption comes into limelight . You can encrypt data so that no one except you can see the data. There are many tools which can be used to encrypt data. Prominent among them is GPG.

GPG

GNU Privacy Guard (GnuPG or GPG) is a free-software OpenPGP implementation . It is part of the GNU Project and received major funding from the German government in 1999.

GPG is used in Email End to End Encryption to protect the content from being read by entities other than the intended recipients. Even though it is very secure , it has it’s own drawbacks.

Prominent Drawbacks of GPG include:

  • The long length of PGP public keys
  • Difficulty for the users to comprehend and poor usability
  • Lack of ubiquity
  • Lack of forward secrecy

This is where age comes into play. Age solves most of limitations of GPG while also being as good as GPG in security, safety and encryption.

Age

Age is acronym for “Actually Good Encryption”. It is is a simple, modern and secure file encryption tool, format, and library. You can use Age as alternative to GPG . Repository for Age is located here. It solves most of Drawbacks of GPG . Age is a good replacement to GPG using modern algorithms.

Features of Age

  • small explicit keys
  • no config options
  • UNIX-style composability
  • Has multiple Implementations which makes Age more secure
  • Has Go Implementation which makes it secure
  • Has Rust Implementation which makes it very secure. Rust is very performant and Safe language

Small Keys

Length of Keys of Age is very small. This is ideal for writing down keys physically. Also, GPG is known for keys of unnecessarily large lengths which makes it harder to store physically.

No Config Options

Age is simple yet secure library. You don’t see much complexity in Age making it very secure. Contrast to this, GPG codebase is huge and is very vulnerable. Age is not much prone to this vulnerabilities because codebase of age is not complex mess like GPG.

Important Goal of Age is to “Have one joint and keep it well oiled”, no configuration or (much) algorithm agility.

Has Multiple Implementations

While GPG’s implementation is only one and is written in C which is not much secure as modern safe languages like Rust, Age has multiple Implementations. One Implementation is written in Golang by Golang’s Security Lead himself while the other Implementation is written in Rust, the language renowned for it’s safety.

Installation of Age

On macOS or Linux, you can use Homebrew:

brew tap filippo.io/age https://filippo.io/age
brew install age

On Windows, Linux, and macOS, you can use the pre-built binaries.

If your system has Go 1.13+, you can build from source:

git clone https://filippo.io/age && cd age
go build -o . filippo.io/age/cmd/...

On Arch Linux, age is available from AUR as age or age-git:

git clone https://aur.archlinux.org/age.git
cd age
makepkg -si

On OpenBSD -current and 6.7+, you can use the port:

pkg_add age

On all supported versions of FreeBSD, you can build the security/age port or use pkg:

pkg install age

Usage of Age

Usage:
    age (-r RECIPIENT | -R PATH)... [--armor] [-o OUTPUT] [INPUT]
    age --passphrase [--armor] [-o OUTPUT] [INPUT]
    age --decrypt [-i PATH]... [-o OUTPUT] [INPUT]

Options:
    -o, --output OUTPUT         Write the result to the file at path OUTPUT.
    -a, --armor                 Encrypt to a PEM encoded format.
    -p, --passphrase            Encrypt with a passphrase.
    -r, --recipient RECIPIENT   Encrypt to the specified RECIPIENT. Can be repeated.
    -R, --recipients-file PATH  Encrypt to recipients listed at PATH. Can be repeated.
    -d, --decrypt               Decrypt the input to the output.
    -i, --identity PATH         Use the identity file at PATH. Can be repeated.

INPUT defaults to standard input, and OUTPUT defaults to standard output.

RECIPIENT can be an age public key generated by age-keygen ("age1...")
or an SSH public key ("ssh-ed25519 AAAA...", "ssh-rsa AAAA...").

Recipient files contain one or more recipients, one per line. Empty lines
and lines starting with "#" are ignored as comments. "-" may be used to
read recipients from standard input.

Identity files contain one or more secret keys ("AGE-SECRET-KEY-1..."),
one per line, or an SSH key. Empty lines and lines starting with "#" are
ignored as comments. Multiple key files can be provided, and any unused ones
will be ignored. "-" may be used to read identities from standard input.

Multiple recipients

Files can be encrypted to multiple recipients by repeating -r/--recipient. Every recipient will be able to decrypt the file.

$ age -o example.jpg.age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
    -r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg example.jpg

Recipient files

Multiple recipients can also be listed one per line in one or more files passed with the -R/--recipients-file flag.

$ cat recipients.txt
# Alice
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# Bob
age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
$ age -R recipients.txt example.jpg > example.jpg.age

If the argument to -R (or -i) is -, the file is read from standard input.

Passphrases

Files can be encrypted with a passphrase by using -p/--passphrase. By default age will automatically generate a secure passphrase. Passphrase protected files are automatically detected at decrypt time.

$ age -p secrets.txt > secrets.txt.age
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "release-response-step-brand-wrap-ankle-pair-unusual-sword-train".
$ age -d secrets.txt.age > secrets.txt
Enter passphrase:

SSH keys

As a convenience feature, age also supports encrypting to ssh-rsa and ssh-ed25519 SSH public keys, and decrypting with the respective private key file. (ssh-agent is not supported.)

$ age -R ~/.ssh/id_ed25519.pub example.jpg > example.jpg.age
$ age -d -i ~/.ssh/id_ed25519 example.jpg.age > example.jpg

Note that SSH key support employs more complex cryptography, and embeds a public key tag in the encrypted file, making it possible to track files that are encrypted to a specific public key.

Encrypting to a GitHub user

Combining SSH key support and -R, you can easily encrypt a file to the SSH keys listed on a GitHub profile.

$ curl https://github.com/benjojo.keys | age -R - example.jpg > example.jpg.age

Keep in mind that people might not protect SSH keys long-term, since they are revokable when used only for authentication, and that SSH keys held on YubiKeys can’t be used to decrypt files.

Verdict

Age is better than GPG dismissing all cons of GPG while also retaining all positives of GPG . If you are not giving importance to data privacy and encryption now is the perfect time. Privacy matters even if you have nothing to hide today, because once you send something to the Internet or once your data is in wrong hands, there is no going back. If you are new to Privacy and need to encrypt data including your emails, then choose Age instead of GPG owing to huge mileage it brings. If you are privacy geek and still using GPG, try Age once as Age is much better than GPG and I bet a good portion of you would surely migrate to Age after trying even if for limited use.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.