age-keygen

Generate a key pair, save it to an unencrypted file, and print the public key to stdout

$ age-keygen [[-o|--output]] [path/to/file]

$ age-keygen -y [path/to/file]

age-keygen [-o, --output FILE]

-o, --output FILE
    Write secret key to FILE instead of stdout (public key still on stderr).

age-keygen is a lightweight command-line utility from the age encryption toolchain, designed to generate secure X25519 key pairs for file encryption and decryption. The age tool provides simple, modern encryption using hybrid cryptography: X25519 for key exchange and ChaCha20-Poly1305 for symmetric encryption.

Running age-keygen produces a random secret key (prefixed AGE-SECRET-KEY-) printed to stdout by default, and the corresponding public key (prefixed age1...) to stderr. This separation allows easy capture of the public key for sharing while protecting the secret.

Use cases include recipient-based encryption: share public keys to encrypt files with age -R public-key file.txt > encrypted.age, and decrypt with the secret holder using age -d encrypted.age. Keys are compact (44 bytes secret, 32 bytes public base32-encoded) and compatible across age implementations.

It relies on the system's randomness source for key generation, ensuring cryptographic security without complex configuration.

Keep secret keys strictly private; they enable decryption. Ensure system has sufficient entropy for randomness. No passphrase protection; use file permissions or tools like pass.

Secret to stdout: AGE-SECRET-KEY-1ABC... 
Public to stderr: age1...

age-keygen -o ~/.config/age/key.txt
# Share public key line from stderr
age -R age1... file.txt > encrypted.age

Developed by Filippo Valsorda as part of age (v1.0.0, July 2020), a successor to age-encryption.org tools. Aims for simplicity over GPG; actively maintained with Rust implementation.

age(1), rage(1)