How to Use Age Encryption for File Sharing 2026

Last updated: March 21, 2026

–END AGE ENCRYPTED FILE—–

Paste this into email or chat. Recipient decrypts:
```bash
echo "-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUx..." | age -d -i ~/.age/key.txt

Step 7 - Age Encryption with Passphrase (No Keys)

age can encrypt with just a passphrase (no public keys needed). Useful for personal backups.

Encrypt
age -p backup.tar.gz > backup.tar.gz.age
Prompts - Enter passphrase

Decrypt
age -d -i - backup.tar.gz.age > backup.tar.gz
Prompts - Enter passphrase

The -p flag means “use passphrase instead of keys.” This is simpler than GPG for backups (no key management), but less secure if the passphrase is weak.

Step 8 - Integration with Other Tools

SSH Key Import

If you have a SSH key pair, you can use it with age directly (no need to generate separate age keys):

age -r ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... file.txt > file.txt.age

Encrypt with someone’s SSH public key (they can decrypt with their SSH private key).

Decrypt using SSH key
age -d -i ~/.ssh/id_ed25519 file.txt.age

This is powerful - share SSH public keys instead of age public keys.

Encrypt within scripts

Bash script to encrypt a directory:

#!/bin/bash

PUBKEY="age1qs8g9p0qx5q2j3k4l5m6n7o8p9q0r1s2t3u4v5w6x7y8z9a0b1c2d3"
PRIVKEY="$HOME/.age/key.txt"

Encrypt all .log files
for file in *.log; do
 age -r "$PUBKEY" "$file" > "$file.age"
 echo "Encrypted $file"
done

Decrypt all .log.age files
for file in *.log.age; do
 age -d -i "$PRIVKEY" "$file" > "${file%.age}"
 echo "Decrypted $file"
done

Docker integration

Encrypt secrets before building Docker images:

FROM alpine:latest

Copy encrypted config
COPY app-config.yml.age /app/

Decrypt at runtime (key passed as build arg)
RUN apk add age
RUN echo "AGE-SECRET-KEY-1..." | age -d -i - /app/app-config.yml.age > /app/app-config.yml

CMD ["app"]

Kubernetes secrets

Encrypt YAML before committing:

Encrypt secret
age -r age1my_pubkey secret.yaml > secret.yaml.age
git add secret.yaml.age

Apply secret (decrypt in CI pipeline before kubectl apply)
age -d -i ~/.age/key.txt secret.yaml.age | kubectl apply -f -

Step 9 - Rotate Keys and Revocation

Rotate to a new key

Generate a new key pair:
```
 age-keygen > ~/.age/new-key.txt
```

Re-encrypt old files with new public key:

 age -d -i ~/.age/old-key.txt secrets.age | age -r age1_new_pubkey > secrets.age

Share new public key with colleagues; discard old key.

Revoke a key

If a key is compromised:

Stop using it immediately.
Generate a new key.
Re-encrypt all files with the new key.
Delete the old key file.

age doesn’t have a revocation system (like GPG), so manual rotation is necessary.

Comparison - Age vs GPG for Different Use Cases

Use age for:

File sharing between colleagues.
Encrypting backups before cloud upload.
Protecting secrets in version control.
Automation scripts (faster, simpler syntax).
New projects where GPG compatibility isn’t required.

Use GPG for:

Signing Git commits (well-integrated).
Email encryption (widely supported).
Projects that require GPG compatibility.
Organizations with existing GPG infrastructure.

For most modern workflows, age is the better choice.

Troubleshooting

Error - “could not decrypt: wrong passphrase”

You’re using the wrong secret key. Check -i ~/.age/key.txt path.
Or the file wasn’t encrypted for your public key.

Error - “unknown recipient”

The public key in -r is invalid. Check the format (should start with age1).

Error - “secret key is invalid”

The key file is corrupted. Check ~/.age/key.txt exists and is readable.

File won’t decrypt

The key used to encrypt might be different from the key you’re using to decrypt.
You encrypted with Bob’s key, but you’re trying to decrypt with your own.

Security Considerations

Never commit secret keys to Git. Add ~/.age/key.txt to .gitignore globally:

 echo "~/.age/key.txt" >> ~/.gitignore_global
 git config --global core.excludesfile ~/.gitignore_global

Protect key files. Set proper permissions:
```
 chmod 600 ~/.age/key.txt
```
Use strong passphrases (if encrypting keys with a passphrase). 20+ characters, mixed case, numbers, symbols.
Back up keys. Store a backup of your secret key in a secure location (encrypted USB, secure vault). If you lose it, you can’t decrypt files.
Verify public keys. For critical sharing, verify the public key with the recipient out-of-band (call them, check their website, compare in person).

Frequently Asked Questions

How long does it take to use age encryption for file sharing?

For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.

What are the most common mistakes to avoid?

The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.

Do I need prior experience to follow this guide?

Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.

Is this approach secure enough for production?

The patterns shown here follow standard practices, but production deployments need additional hardening. Add rate limiting, input validation, proper secret management, and monitoring before going live. Consider a security review if your application handles sensitive user data.

Where can I get help if I run into issues?

Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.

Built by theluckystrike. More at zovo.one