Keep It Simple

Encrypting files ensures the IT security protection goal of confidentiality. Depending on which method you use, integrity and accountability can be ensured, as well. Asymmetric encryption is easier with Age than with GnuPG. In this article, I look at how to use Age and how you can use it in practice.

The Role of Encryption

IT security protection goals define requirements for data or the contents of files during storage or transmission. File encryption is useful and important in many enterprise scenarios. Encryption makes sense, and not just when you need to send data over insecure channels such as the Internet, but also for data that is no longer needed in everyday life or that is already backed up and no longer needs to be kept available in the clear. Cryptographic techniques can be used to store such data confidentially and verify its integrity on recovery.

Encrypted backups or routinely encrypted older files in an archive primarily provide protection against a potential attacker copying large volumes of information and subsequently publishing or selling this information to other market players. Of course, this does not protect you against ransomware infestation. Also, the assigned private key or password used for decryption should not simply be stored on the hard drive of your computer or server.

Not Always GnuPG

Many distributors use GnuPG to sign their packages and distribute the public key accordingly. Therefore, most distributions are capable of encrypting or signing files out of the box. At the command line, you can easily sign a file with a private key stored in the keychain:

gpg --detach-sign -o sig.gpg secret.txt

After doing so, the file sig.gpg with the signature can be forwarded to the recipient. With your public key, it is easy to check whether the file has been modified since it was signed. This process ensures integrity. Encrypting a file with GnuPG works in the same way, but now you need the recipient's public key or, in the case of multiple recipients, all of the corresponding public keys. You would need to run the following command to encrypt a file named secret.txt:

gpg --encrypt --armor -r recipient@admin-magazine.comsecret.txt

Because GnuPG offers many other possibilities besides plain vanilla encryption, it is not always the best choice for straightforward use. Although the software has sensibly chosen default values, they are not always transparent, and the many options certainly give users scope for errors. If you want to exchange files easily and securely on the basis of asymmetric keys, nobody is forcing you to use GnuPG.

Easy and Quick with Age

Age is the acronym for "Actually good encryption," and that is what the developer promises. Age is a small tool implemented in Go [1] that supports all the classic operating systems. The first stable version 1.0 was released just over a year ago. Alternatively, you can use the implementation in Rust, named Rage [2]. The Go version is well ahead in terms of performance, though, especially with large volumes of data.

Age has a clearly defined feature set with only a few configuration options, which makes both the program and the API very easy to use, virtually eliminating configuration errors by the user. In the remainder of this article, I look exclusively at how to use the program on Linux.

Age supports different file recipients, who are selected by their public keys, which you specify in each case with the -R argument during encryption. After the install, which is very easy because the packages exist for popular Linux distributions, you need to create a new private key with the command:

age-keygen > private.key

You can copy the public key from the output or take it from the commented lines in the private.key file; just ignore the hint about the potential risk posed by the file's insecure access rights in this example. In production, you would use umask up front to adjust the permissions of the new file. If you only want to output the public key at the command line for the private key in the file, use the command:

age-keygen -y private.key

The keys generated are in the form of Base32-formatted X25519 identities (i.e., they are based on elliptic curves). In addition to Age's own format keys in version 1, Age also accepts SSH keys for encryption, which can be for the same 25519 elliptic curve (ssh-ed25519) or RSA keys (ssh-rsa).

The use of SSH keys may seem unusual at first glance, but it is perfectly suitable and very practical because these keys are already distributed in many places. Especially in the developer environment, you will find many public SSH keys in profiles on GitHub or GitLab. Unlike GnuPG, however, when using Age, you do not have a web of trust to verify the keys or to establish trust in the keys.

If you want to make your data available to several recipients on a regular basis, you can store the recipients in a recipient file. The different key types of the recipients can be combined in a single file. After adding the public keys of the recipients to the recipient.txt file – one key per line in the normal way – encrypt your data:

echo Admin Magazine | age -R recipient.txt -a

The -a sends the output to an ASCII wrapper, with which you are probably already familiar from GnuPG. With the command

echo Admin Magazine | age -R recipient.txt -a | age -d -i private.key

you can test decryption directly.