Filippo Valsorda, the cryptographer responsible for the security of the Go programming language at Google, has published the first stable release of a new data encryption utility, Age (Actually Good Encryption). The utility provides a simple command line interface for encrypting files using symmetric (password) and asymmetric (public key) cryptographic algorithms. The project code is written in Go and distributed under the BSD license. Builds prepared for Linux, FreeBSD, macOS and Windows.
The basic functions are placed in a library that can be used to integrate the functionality provided by the utility into your programs. Separately, within the framework of the rage project, an alternative implementation of a similar utility and library, written in Rust, is being developed. For encryption, proven HKDF (HMAC-based Extract-and-Expand Key Derivation Function), SHA-256, HMAC (Hash-based Message Authentication Code), X25519, Scrypt and ChaCha20-Poly1305 AEAD algorithms are used.
Of the features of Age stands out: the ability to use compact 512-bit public keys, easily transferred through the clipboard; simple and not overloaded with options command line interface; missing configuration files; the ability to use in scripts and in combination with other utilities through building a UNIX-style call chain. Both generating your own compact keys and using existing keys from SSH ("ssh-ed25519", "ssh-rsa") are supported, including support for Github.keys files. $ age-keygen -o key.txt Public key: age1ql3z7hjy58pw3hyww5ayyfg7zqgvc7w3j2elw2zmrj2kg5sfn9bqmcac8p $ tar cvz ~/data | age -r age1ql3z7hjy58pw3hyww5ayyfg7zqgvc7w3j2elw2zmrj2kg5sfn9bqmcac8p > data.tar.gz.age $age --decrypt -i key.txt data.tar.gz.age > data.tar.gz $age -R ~/.ssh/id_ed25519.pub example.jpg > example.jpg.age $ age -d -i ~/.ssh/id_ed25519 example.jpg.age > example.jpg
There is a file encryption mode for several recipients at once, in which the file is simultaneously encrypted using several public keys and each of the list of recipients can decrypt it. Means are also provided for symmetric encryption of files based on a password and protection of files with private keys through their encryption using a password. A useful feature is that if you enter an empty password during encryption, the utility will automatically generate and suggest a strong password. $ age -p secrets.txt > secrets.txt.age Enter passphrase (leave empty to autogenerate a secure one): Using the autogenerated passphrase "release-response-step-brand-wrap-ankle-pair-unusual-sword-train" . $ age -d secrets.txt.age > secrets.txt Enter passphrase: $ age-keygen | age -p > key.age Public key: age1yhm4gftwfmrpz87tdslm530wrx6m79y9f2hdzt0lndjnehwj0bkqrjpyx5 Enter passphrase (leave empty to autogenerate a secure one): Using the autogenerated passphrase "hip-roast-boring-snake-mention-east-wasp-honey-input-actress".
Future plans include the creation of a backend for storing passwords and a shared key server (PAKE), support for YubiKey keys, the ability to generate easy-to-remember keys in the form of a set of words, and the creation of an age-mount utility to mount encrypted files or archives in the FS.
Source: opennet.ru