mirror of https://github.com/str4d/rage.git synced 2025-04-04 03:17:42 +03:00

A simple, secure and modern file encryption tool (and Rust library) with small explicit keys, no config options, and UNIX-style composability. https://age-encryption.org/v1

age-encryption cli curve25519 encryption rust rust-library scrypt secure-by-default unix-philosophy yubikey zero-configuration

Find a file

Jack Grigg cf42b7f2ee v0.2.0		2020-01-10 19:02:35 -05:00
.github	Interop: Test explicit stdin/stdout	2020-01-03 17:26:24 -05:00
assets	Generate a secure passphrase if one is not provided	2020-01-04 00:13:29 -05:00
docs	Document process for creating Debian packages	2019-12-29 16:24:40 -06:00
examples	Update usage docs	2020-01-10 18:49:13 -05:00
fuzz	Update fuzz/Cargo.lock	2020-01-10 18:57:06 -05:00
src	Remove CR from wrapped_encoded_data parsing	2020-01-10 16:36:25 -05:00
.gitignore	added .idea to .gitignore	2019-12-31 21:34:55 +01:00
Cargo.lock	v0.2.0	2020-01-10 19:02:35 -05:00
Cargo.toml	v0.2.0	2020-01-10 19:02:35 -05:00
CHANGELOG.md	Parse and serialize unknown recipient lines	2020-01-09 10:26:59 -05:00
LICENSE-APACHE	Add README and license info	2019-10-08 21:59:02 +13:00
LICENSE-MIT	Add README and license info	2019-10-08 21:59:02 +13:00
README.md	v0.2.0	2020-01-10 19:02:35 -05:00

README.md

rage: Rust implementation of age

age is a simple, secure and modern encryption tool with small explicit keys, no config options, and UNIX-style composability. The format specification is at age-encryption.org/v1.

rage is a Rust implementation of the age tool. It is pronounced like the Japanese らげ (with a hard g).

To discuss the spec or other age related topics, please email the mailing list at age-dev@googlegroups.com. age was designed by @Benjojo12 and @FiloSottile.

The reference interoperable Golang implementation is available at filippo.io/age.

Usage

Usage: rage [OPTIONS] [INPUT]

Positional arguments:
  INPUT                      file to read input from (default stdin)

Optional arguments:
  -h, --help                 print help message
  -d, --decrypt              decrypt the input (default is to encrypt)
  -p, --passphrase           use a passphrase instead of public keys
  --max-work-factor WF       maximum work factor to allow for passphrase decryption
  -a, --armor                create ASCII armored output (default is age binary format)
  -r, --recipient RECIPIENT  recipient to encrypt to (may be repeated)
  -i, --identity IDENTITY    identity to decrypt with (may be repeated)
  -o, --output OUTPUT        output to OUTPUT (default stdout)

Multiple recipients

Files can be encrypted to multiple recipients by repeating -r/--recipient. Every recipient will be able to decrypt the file.

$ rage -o example.png.age -r age1uvscypafkkxt6u2gkguxet62cenfmnpc0smzzlyun0lzszfatawq4kvf2u \
    -r age1ex4ty8ppg02555at009uwu5vlk5686k3f23e7mac9z093uvzfp8sxr5jum example.png

Passphrases

Files can be encrypted with a passphrase by using -p/--passphrase. By default rage will automatically generate a secure passphrase.

$ rage -p -o example.png.age example.png
Type passphrase (leave empty to autogenerate a secure one): [hidden]
Using an autogenerated passphrase:
    kiwi-general-undo-bubble-dwarf-dizzy-fame-side-sunset-sibling
$ rage -d -p example.png.age >example.png
Type passphrase: [hidden]

SSH keys

As a convenience feature, rage also supports encrypting to ssh-rsa and ssh-ed25519 SSH public keys, and decrypting with the respective private key file. (ssh-agent is not supported.)

$ cat ~/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZDRcvS8PnhXr30WKSKmf7WKKi92ACUa5nW589WukJz str4d@internet.arpa
$ rage -r "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZDRcvS8PnhXr30WKSKmf7WKKi92ACUa5nW589WukJz" example.png > example.png.age
$ rage -d -i ~/.ssh/id_ed25519 example.png.age > example.png

ssh-rsa support is currently behind the unstable feature flag.

Note that SSH key support employs more complex cryptography, and embeds a public key tag in the encrypted file, making it possible to track files that are encrypted to a specific public key.

Installation

On Windows, Linux, and macOS, you can use the pre-built binaries.

The rage suite of tools are provided in the age Rust crate. If your system has Rust 1.37+ installed (either via rustup or a system package), you can build directly from source:

cargo install age

You can also use the age crate directly as a library, by adding this line to your Cargo.toml (which disables the CLI tools):

age = { version = "0.2", default-features = false }

Help from new packagers is very welcome.

Feature flags

cli enables the rage and rage-keygen tools, and is enabled by default.
mount enables the rage-mount tool, which can mount age-encrypted TAR or ZIP archives as read-only. It is currently only usable on Unix systems, as it relies on libfuse.
unstable enables in-development functionality. Anything behind this feature flag has no stability or interoperability guarantees.

License

Licensed under either of

Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.