age-keygen

age-keygen [options] [-o file]age-keygen -y [identity-file]

age-keygen generates X25519 key pairs for use with the age encryption tool. The private key (identity) is printed to stdout or written to a file, while the public key is included as a comment in the output.The generated keys are simple text strings: public keys start with "age1" and private keys start with "AGE-SECRET-KEY-1". The -y flag extracts the public key from an existing identity, useful for sharing your recipient without exposing the private key.

-o file

Write key to file instead of stdout. Will not overwrite if file exists.

Read an identity file (or stdin) and output the corresponding public key (recipient). Works with age private keys and ed25519 SSH keys.

Generate hybrid post-quantum keys using ML-KEM-768 + X25519 (age v1.3.0+).

Print version and exit.

Keep the private key secret; anyone with it can decrypt files meant for you. There is no key revocation mechanism. Back up your keys securely. The -o flag will not overwrite existing files. Post-quantum recipients are approximately 2000 characters long.

age-keygen was released alongside age in 2019 by Filippo Valsorda. It provides a minimal key generation tool that follows the same design philosophy as age itself: simple, secure, and with no unnecessary options. Version 1.3.0 added hybrid post-quantum key generation with the -pq flag.

age(1), ssh-keygen(1), gpg(1)