Age: A simple, modern and secure file encryption tool

This is great, it fills a gap that I&#x27;ve long defended as PGP&#x27;s remaining legitimate use case. Of course, now we just need to work on the adoption problem. Despite the fact that PGP adoption is a well-known joke in itself, all the tools designed to replace it (with the exception of the IM space) have somehow managed to achieve even lower use rates.<p>It&#x27;s been almost five years since Magic Wormhole first released, and about half a year since that popular Latacora post recommended it for transferring files, and said &quot;Someone stick a Windows installer on a Go or Rust implementation of Magic Wormhole right away&quot;. Guess what you&#x27;re still not going to find a reliable Windows build (let alone a GUI) for? Yep that&#x27;s right. Despite the fact that most of these projects come from a felt need for better alternatives to PGP for the average user, very few of them have actually come up with a product that&#x27;s more accessible to the average person.

NSA recommended people stop using ECC &lt;384 bits (<a href="https:&#x2F;&#x2F;apps.nsa.gov&#x2F;iaarchive&#x2F;programs&#x2F;iad-initiatives&#x2F;cnsa-suite.cfm" rel="nofollow">https:&#x2F;&#x2F;apps.nsa.gov&#x2F;iaarchive&#x2F;programs&#x2F;iad-initiatives&#x2F;cnsa...</a>).<p>There are applications where the extra time and space of something like ed448 present uncomfortable trade-offs.<p>File encryption is not generally one of those applications.<p>So I find this a little disappointing.<p>But I suppose that NIST PQ will finalize in the not far future and this will get replaced by something that hybridizes with a PQ scheme. (I say replace because the expectation that a pubkey is something you can easily copy and paste doesn&#x27;t really work with the PQ schemes you&#x27;d likely use with file encryption.)<p>What happens if auth fails part way through the file? Do you get a truncated decryption on stdout? -- or is this buffering the whole input in memory?

Some questions about the spec:<p>1. How does age disambiguate between filenames and other key formats for the -r argument? (Those formats are also valid filenames)<p>2. Does the header use normal Base64 (i.e. +&#x2F;) or url-safe Base64 (i.e. -_). The specification sounds like normal Base64, but some lines of the example contain -_ others contain +.<p>3. What characters are allowed in the header? ASCII only? (the current key-formats are ASCII only, but an implementation is supposed to skip unknown formats)<p>4. Are any characters forbidden in recipient types, arguments and additional lines?<p>5. Which strings at the beginning of a header line have special meaning and thus are illegal for additional lines? Only `-&gt; ` and `--- `? I assume the space is mandatory in those strings despite the spec not mentioning that for `-&gt;`?<p>6. CRLF normalization of the header is only mentioned in the section about ascii-armored files. I assume it also applies to non ASCII armored files?<p>7. Is keeping the public key secret to achieve symmetric authenticated encryption an officially supported&#x2F;recommended use-case?<p>(If the public key is public, the MACs block decryption oracles. However they don&#x27;t provide any authentication, because the message isn&#x27;t bound to any sender and thus an attacker can just encrypt their own message to your public key. If the receiver&#x27;s public key is secret, this isn&#x27;t possible and thus the current implementation provides symmetric sender authentication)<p>8. How does the command line tool signal failure&#x2F;truncation&#x2F;corruption?

Is there a detailed description of the security goals and crypto rationale anywhere?<p>For example, it seems that if you use scrypt then you get fully authenticated encryption: the message must have come from somebody who knows the password (either a trusted user or you chose a weak password). But if you use X25519 then the scheme used is ECIES, so no sender authentication, only IND-CCA security.<p>The format document says that if you want “signing“ then use minisign&#x2F;signify, but I suspect most people want <i>origin authentication</i>. We know that it is actually quite hard to obtain public key authenticated encryption [1] from generic composition of signatures and encryption, with many subtle details. It would be better if age supported this directly for X25519 as it does for scrypt. Unfortunately, you can’t simply use a static key pair to achieve this (as in nacl’s box) as age uses a zero nonce to encrypt the file key with chacha20-poly1305 so reusing a static key will result in nonce reuse. (This seems a bit fragile).<p>[1]: <a href="https:&#x2F;&#x2F;eprint.iacr.org&#x2F;2001&#x2F;079" rel="nofollow">https:&#x2F;&#x2F;eprint.iacr.org&#x2F;2001&#x2F;079</a>

&quot;it looks like we&#x27;ll be ok&quot; remains their status on the problem of whether it&#x27;s fine to just take SSH keys and use them for something quite different.<p>That&#x27;s just not good enough. It was fine in early drafts because there was hope they&#x27;d remember that &quot;Solve all of the world&#x27;s problems&quot; was not their goal, and so SSH keys might be irrelevant in later revisions anyway. It&#x27;s not fine in something intended to actually ship.<p>Either get somebody to put lots of work in to verify that yes, it&#x27;s definitely safe to do this as SSH stands today, and contact SecSH WG or Sec Dispatch or whoever to make sure they know you&#x27;re doing this now - or, as seems much more likely, rip out all the SSH key code and highlight that line about how you don&#x27;t want to do key distribution in age because it&#x27;s hard.<p>PGP is full of things its creators thought might be safe that you now have to tell people not to do because it turns out they&#x27;re unsafe. This tool should not recapitulate their mistake.

Rust implementation: <a href="https:&#x2F;&#x2F;github.com&#x2F;str4d&#x2F;rage" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;str4d&#x2F;rage</a>

This looks really good, I&#x27;ve used ccrypt (#1) for years as a simple Unix-y encryption tool to avoid the complexity of GPG (though this is symmetric encryption only so you need to have a secure way to exchange keys).<p>I just added a pull-request to allow the recipients flag to also be specified as a <a href="https:&#x2F;&#x2F;" rel="nofollow">https:&#x2F;&#x2F;</a> or file:&#x2F;&#x2F; URL - this is mostly useful to use the GitHub &lt;user&gt;.keys endpoint to grab user keys eg.<p><pre><code> .&#x2F;age -a -r https:&#x2F;&#x2F;github.com&#x2F;&lt;user&gt;.keys &lt; secret </code></pre> will encrypt using &lt;user&gt;&#x27;s GitHub SSH public keys.<p>#1 <a href="http:&#x2F;&#x2F;ccrypt.sourceforge.net" rel="nofollow">http:&#x2F;&#x2F;ccrypt.sourceforge.net</a><p>#2 <a href="https:&#x2F;&#x2F;github.com&#x2F;FiloSottile&#x2F;age&#x2F;pull&#x2F;43" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;FiloSottile&#x2F;age&#x2F;pull&#x2F;43</a>

Not that it matters, but age hasn&#x27;t hit 1.0 yet. (Close, though!)<p>With that in mind, it&#x27;s still really exciting. I can&#x27;t wait until I never have to use GPG ever, ever again.

What problem is this solving that isn&#x27;t already done by other tools?

Age looks somewhat promising, but I am still looking for a reasonable alternative to TrueCrypt. Encryption should be as easy as possible. The process of gathering your files (plural!), put them into a folder, zip or tar that folder and then encrypt it, to delete the remaining files afterwards, is anything but not easy. Adding new files is even more horrible. TrueCrypt was so easy, just select the encrypted file, enter your password and voila, you got a volume mounted where you can easily add or remove many files. I know that Veracrypt exists, but it does not feel like a solution for the next decade(s).<p>Its super weird. There is this use case to de&#x2F;encrypt a single file, but mass storage of files in a secure way and without a proprietary protocol seems impossible.

This is neat. A quick browse through the code, looks like it uses DJB&#x27;s chacha and polyxxx underneath.<p>I&#x27;ve been waiting for a worthy replacement for &quot;crypt&quot; for a very long time, and gpg, while it can be coaxed into doing that with much effort has simply become a bloated abomination at this point.<p>Hope this gets vetted by the crypto community and gains popularity.

So the modern alternative would be this for file encryption, and signify for signing. What&#x27;s the consensus on an alternative for GPG authenticating?<p>And what are the expert opinions on themis: <a href="https:&#x2F;&#x2F;github.com&#x2F;cossacklabs&#x2F;themis" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;cossacklabs&#x2F;themis</a> ?

We need a protocol&#x2F;scheme that other things can adopt much more than a tool. There will always be a reason why someone can&#x27;t use a tool,but with an encoding&#x2F;scheme&#x2F;protocol you can push for different things to use it.<p>To give an example, I was in a work situation more than once where an external party wanted to transfer files to or from our company and I was suppose to help find a standard tool&#x2F;method. The only (and I mean only) way right now is pgp due to it&#x27;s ubiquity with s&#x2F;mime on email being second. We do need great tools like this but we need them to where if I can&#x27;t use it due to license,policy,etc... Issues i can use a separate compatible tool.<p>So, My only suggestion to the author is to please make a fixed and versioned standard out of the scheme.

I once made something similar after reading a blog post here on HN [1] just to see how easy it is to make something like this. Mine [2] uses passphrases to generate keys with the Argon2 algorithm and then uses NaCl&#x27;s secretbox for encryption. I also made a version for use on streams. It&#x27;s not up to snuff for industrial use, but it&#x27;s really easy to use if you just want to encrypt some files with a password and also very simple if you want to modify it for your own purposes.<p>[1] <a href="https:&#x2F;&#x2F;blog.gtank.cc&#x2F;modern-alternatives-to-pgp&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.gtank.cc&#x2F;modern-alternatives-to-pgp&#x2F;</a><p>[2] <a href="https:&#x2F;&#x2F;stutonk.github.io&#x2F;crypt.html" rel="nofollow">https:&#x2F;&#x2F;stutonk.github.io&#x2F;crypt.html</a>

A tool&#x2F;protocol is as secure as the people using it.<p>I found that when working with non-techies that 7Zip is an acceptable encryption tool. It used proper encryption, it&#x27;s open source, available on all platforms, available with GUI and CLI.

&gt; Out of scope:<p>&gt; The web of trust, or key distribution really<p>Is there anything in the tptacek suite of replacement tools for this? Like Keybase but fully open source and&#x2F;or decentralized?

For encrypting text files, I just use vim&#x27;s `:X` command and enter a pass phrase. Simple, easy, portable, works everywhere. I have configured my .vimrc to `set cryptmethod=blowfish2` and disable backup&#x2F;swap files for encrypted files. Are there any issues with this? Is there any other option that will work on virtually all UNIX devices without installing anything additional?

I normally use scrypt (with passphrase) for file encryption for personal backups.. age isn&#x27;t competing with this use case i take it?

I&#x27;m not a big fan of tools that take encrypted data, and decrypt it by creating a decrypted file on disk. They give you a false sense of security. Files, even if they get deleted, remain on hard disks. On SSDs they are even harder to remove, as there is a complicated layer of indirection. Even if you shred the file before deletion, it&#x27;s possible that it will keep being stored by the SSD, maybe even permanently if a block containing the decrypted content is being decomissioned.<p>The classical gpg based tools have this very same problem. The classical response is to suggest ramdisk usage, ideally for the entire OS (like a live system basically) to avoid getting artifacts onto the disk like clipboard history, cached thumbnails, or log files. pass for example uses such ramdisks. I disagree that this is a good solution though. Of course it is more thorough, but it requires additional intervention&#x2F;setup, and not everyone has the needed expertise. Instead, I think the encryption tool itself should take care to only store the decrypted content in non-paged RAM, and give users read&#x2F;write access through a GUI or a TUI. It should be a ready downloadable solution, similar to the TOR browser bundle. The TOR browser is also trying to not put anything onto the hard disk.

So.. this is using chunked AEAD, without source authentication&#x2F;signing?<p>What&#x27;s the actual use case, and why is it any better than plain stream encryption? If you wish to stream authenticated decrypted contents, it would mean 2 layers of chunking.

Is age designed to encrypt large binary files, which seem to increase the file size by 2KB.

Which crypto primitives does this tool use? x25519+chacha?

Finally! :)

How can we know there&#x27;s no backdoor in it?

meh.<p><a href="https:&#x2F;&#x2F;stackoverflow.com&#x2F;questions&#x2F;16056135&#x2F;how-to-use-openssl-to-encrypt-decrypt-files&#x2F;16056298#16056298" rel="nofollow">https:&#x2F;&#x2F;stackoverflow.com&#x2F;questions&#x2F;16056135&#x2F;how-to-use-open...</a><p>With that I&#x27;m guaranteed AES, a known-good encryption algorithm. I have no idea what these guys are doing without reading through their documentation. Hopefully they didn&#x27;t roll their own.