~/blog/"Random software I find on the internet. Part 1: age"

2022-11-12


WARNING #1: I’m not aware if this software has been properly audited. I am also not endorsing its use. My only intent is to share a project which I found interesting. As with every piece of technology (specially with encryption software), be sensible with the amount of trust you put into it.

WARNING #2: Any keys shown in this post are insecure, and should never be used.

While perusing some image boards a few months ago (don’t judge me, there’s some hidden gems out there), I came across a thread where people were exchanging encrypted messages (in this case, invite codes to an email server) using a program called age. It was quite interesting to see people exchanging direct private messages anonymously in an open public forum, without using any messaging system with accounts and passwords.

The program itself is a minimalist encryption tool and library written in Go (an alternative Rust implementation is also available). To generate a public-private key pair, you just need to call age-keygen -o and give it the filename where you wish to save the private key. Much simpler and quicker than GPG.

~ $ age-keygen -o key.txt
Public key: age1qjzggcf9jwu5ux9ctfggeghr5rcfxdnw74kvd06ruzdgpxxwputqs4pul5

The public key shown above can then be given to the person who’s going to be sending you encrypted data. If you want to write the encrypted output in PEM format, use the -a flag (this is not mandatory, but it’s necessary to print it to the screen). As with any good unix utility, you can use “|” to pipe the output of echo into the input of age. The -r flag denotes the recipient of the message (i.e. the public key).

~ $ echo "This is a test" |
> age -r age1qjzggcf9jwu5ux9ctfggeghr5rcfxdnw74kvd06ruzdgpxxwputqs4pul5 -a
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNGVJUmhOdGpxUTNvWG9E
V2xNeXhGRm9xSFdqN2lDcndEWTdkTUZrckY4ClM5S01pcEVWMTc5RW85cUtGM2sx
SHV0bFhXa256QnlURGpJZTUvYmozNUEKLS0tIEVsaGxhRFozeWNNdWtFbUg4U1JZ
Y0xkMGxlY1hpODBVenFVSWhxaUxFcDQK2WgZ4pEQbUya/MGgMvuWVkGxZYe4cnrT
ThjB+1RHHbk92bpAUAo0wy41pOjYGbQ=
-----END AGE ENCRYPTED FILE-----

The file with the private key can then be used to decrypt the message, recovering the original text.

~ $ echo "This is a test" |
> age -r age1qjzggcf9jwu5ux9ctfggeghr5rcfxdnw74kvd06ruzdgpxxwputqs4pul5 -a |
> age -d -i key.txt
This is a test

You can also use age with files, not just text.

~ $ age -r age1qjzggcf9jwu5ux9ctfggeghr5rcfxdnw74kvd06ruzdgpxxwputqs4pul5 -o image.png.age image.png

The example above takes an image as input (image.png) and outputs an encrypted file (image.png.age).

The -r flag can also be used multiple times, to encrypt for multiple recipients.

~ $ age -r key1.txt -r key2.txt -o image.png.age image.png

There are lots of other features, such as: specifying multiple recipients in a text file (using the -R flag), password-protect the private key file, encrypt / decrypt using ssh public keys, encrypt / decrypt using yubi keys, etc. Have a look at the full documentation for more details.

Despite all of this, it does not support things like signing (which GPG does). This is by design, as that would introduce more complexity to it. But there’s a bit of nuance here, so I’d recommend reading more about it from one of the authors.

As you might imagine, age was probably developed with higher goals in mind than shit-posting on imageboards. It has indeed better applications, like dealing with secrets in gitops. This actually interests me, and I might dig deeper into it in the future.

I guess the moral of the story is that you can learn new things from unexpected places, and in roundabout ways. So keep your eyes open!