age-keygen

Generate a key pair, save it to an unencrypted file, and print the public key to stdout

$ age-keygen [[-o|--output]] [path/to/file]

$ age-keygen -y [path/to/file]

age-keygen [-o output_file]
age-keygen [--output output_file]
age-keygen [--help]
age-keygen [--version]

-o output_file, --output output_file
    Writes the generated key to the specified output_file instead of standard output. It is highly recommended to use this option and ensure the file permissions are set securely (e.g., chmod 600).

--help
    Displays a concise help message detailing command usage and options.

--version
    Prints the version information of the age-keygen utility.

The age-keygen command is an essential utility within the age encryption tool suite. Its primary function is to generate a new age secret key (private key) along with its corresponding public key. This pair is fundamental for asymmetric encryption with age.

When executed, age-keygen outputs the private key to standard output by default, along with its associated public key, which is prefixed with "# public key:". The private key, starting with "AGE-SECRET-KEY-1", must be kept absolutely confidential and secure, as it is required to decrypt any data encrypted using its corresponding public key. The public key, starting with "age1", can be freely shared and is used by others to encrypt data for the private key's owner. This command simplifies the process of establishing new identities for secure data exchange using the age file encryption format.

By default, age-keygen generates a raw private key without any passphrase protection. If you wish to protect your private key with a passphrase, you will need to manually encrypt the generated key file using age or another suitable tool. Always ensure the generated private key file has strict file permissions (e.g., chmod 600) to prevent unauthorized access. Mismanagement of the private key can compromise the security of all data encrypted with its corresponding public key.

When the -o or --output option is not used, age-keygen prints the private key to standard output. It's common practice to redirect this output to a file, for example: age-keygen > ~/.config/age/keys.txt. This file should then be secured with appropriate file permissions.

The generated private key follows the age secret key format, starting with AGE-SECRET-KEY-1. The public key, which is commented out in the output, starts with age1. Both formats are specifically designed for the age encryption system.

After generating a key pair with age-keygen, the public key is distributed to parties who need to encrypt data for you. They use this public key with the age command (e.g., age -r age1... < input.txt > encrypted.age). You then use your private key with the age command to decrypt the data (e.g., age -i ~/.config/age/keys.txt < encrypted.age > decrypted.txt).

The age-keygen utility is an integral part of the age encryption system, which was developed by Filippo Valsorda, a Google engineer, and first publicly released around 2020. age was designed as a modern, simple, and secure alternative to more complex encryption tools like GnuPG, focusing on ease of use and robust defaults. age-keygen provides the necessary functionality to generate the cryptographic identities (keys) fundamental to the age ecosystem, embodying the project's goal of secure and accessible encryption.

age(1), ssh-keygen(1), gpg(1)