AGE - Encrypt Files with SSH Keys

Page content

Stumbled upon something that I’ve missed for a long time: encrypting files with the ssh public key :)


Install Package

OpenBSD (and most others *nix systems) got a package for age. Just install it.

doas pkg_add age

Asymmetric Encryption

Asymmetric Encryption encrypts and decrypts the data using two separate yet mathematically connected cryptographic keys. These keys are known as a ‘Public Key’ and a ‘Private Key’. Together, they’re called a ‘Public and Private Key Pair’

Encrypt with SSH Pub Key

Let’s encrypt our Hosts File and save it to /tmp/ …

age -r "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx" -o /tmp/hosts.enc hosts

Encrypt with all PubKeys from Authorized_keys

You can also encrypt for multiple Persons, for example Users in your authorized_key file …

age -R ~/.ssh/authorized_keys /etc/hosts > /tmp/hosts.age

Decrypt with Private Key

Transfer the encrypted File to the Destination … and with the correct Private Key, it can be easily decryted :)

$ age -d -i ~/.ssh/id_ed25519 /tmp/hosts.age
Enter passphrase for ".ssh/id_ed25519": localhost
::1   localhost

Symmetric Key Encryption

You can also use Symmetric Encryption, where the Key to encrypt and decrypt is the same. Exchange the Key over a “Secure Medium” and you’re done. Hint: EMail, SMS, Whatsapp and such Services are not considered as a Secure Channel ;)


Encrypt the File with any Password you want

$ age -p /etc/hosts > /tmp/hosts.age
Enter passphrase (leave empty to autogenerate a secure one): [test]
Confirm passphrase: [test]


Transfer the File and Password to someone else and he can decrypt it !

$ age -d /tmp/hosts.age
Enter passphrase: [test] localhost
::1   localhost

Encrypt with auto-password

without a given password, age generate a secure one for you :)

$ age -p /etc/hosts > /tmp/hosts.age
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "beauty-clean-extend-image-same-primary-stem-trust-able-first".

sha256: e49fdb3a5eafbd7c4ce4d7bdbbd27e79c76bbea94c213eee9271668b49fdea6a