finds.dev← search

// the find

FiloSottile/age

★ 22,779 · Go · BSD-3-Clause · updated Mar 2026

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

age is a file encryption tool and Go library from Filippo Sottile, one of the Go cryptography team leads. It replaces GPG for the common case of encrypting files to a recipient's public key, with a deliberately minimal design: one key format, one cipher suite, no config files. If you need to encrypt a file and hand it to someone, this is the tool.

The format spec is published and versioned at age-encryption.org/v1, with interoperable implementations in Rust and TypeScript — you're not locked into this Go binary. Post-quantum support (ML-KEM-768 + X25519 hybrid) landed in v1.3.0 without breaking the plugin interface or existing files. The plugin system is genuinely useful: YubiKey support, hardware tokens, and PQ support are all external binaries that speak a defined protocol, keeping the core clean. SSH public key support as recipients is a practical shortcut — encrypting to a GitHub user's keys is a one-liner.

No key management story beyond 'here is a file, don't lose it' — there's no built-in key rotation, expiry, or revocation. The post-quantum recipient keys are ~2000 characters, which is awkward to share out-of-band. ssh-agent support is explicitly not implemented, which is annoying if your identity is already loaded there. The format is binary by default; --armor produces PEM but the armor implementation is a separate streaming layer bolted on top, not first-class, so it's slower and the codebase splits the concern across two packages.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →