// the find
FiloSottile/age
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
age is a file encryption tool and Go library from Filippo Sottile, one of the Go cryptography team leads. It replaces GPG for the common case of encrypting files to a recipient's public key, with a deliberately minimal design: one key format, one cipher suite, no config files. If you need to encrypt a file and hand it to someone, this is the tool.
The format spec is published and versioned at age-encryption.org/v1, with interoperable implementations in Rust and TypeScript — you're not locked into this Go binary. Post-quantum support (ML-KEM-768 + X25519 hybrid) landed in v1.3.0 without breaking the plugin interface or existing files. The plugin system is genuinely useful: YubiKey support, hardware tokens, and PQ support are all external binaries that speak a defined protocol, keeping the core clean. SSH public key support as recipients is a practical shortcut — encrypting to a GitHub user's keys is a one-liner.
No key management story beyond 'here is a file, don't lose it' — there's no built-in key rotation, expiry, or revocation. The post-quantum recipient keys are ~2000 characters, which is awkward to share out-of-band. ssh-agent support is explicitly not implemented, which is annoying if your identity is already loaded there. The format is binary by default; --armor produces PEM but the armor implementation is a separate streaming layer bolted on top, not first-class, so it's slower and the codebase splits the concern across two packages.