Skip to content
A simple, secure and modern encryption tool with small explicit keys, no config options, and UNIX-style composability.
Branch: master
Clone or download
str4d CI: Use stable Rust release for code coverage
Fixes an issue where cargo-tarpaulin failed to build the crate on
1.37.0, but the crate itself builds fine with that version.
Latest commit 2debcee Jan 20, 2020
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github CI: Use stable Rust release for code coverage Jan 20, 2020
assets Generate a secure passphrase if one is not provided Jan 4, 2020
docs Document process for creating Debian packages Dec 29, 2019
examples Update usage docs Jan 10, 2020
fuzz Update fuzz/Cargo.lock Jan 10, 2020
src Remove CR from wrapped_encoded_data parsing Jan 10, 2020
.gitignore added .idea to .gitignore Dec 31, 2019 Update release date in CHANGELOG Jan 11, 2020
Cargo.lock v0.2.0 Jan 11, 2020
Cargo.toml v0.2.0 Jan 11, 2020
LICENSE-APACHE Add README and license info Oct 8, 2019
LICENSE-MIT v0.2.0 Jan 11, 2020

rage: Rust implementation of age

age is a simple, secure and modern encryption tool with small explicit keys, no config options, and UNIX-style composability. The format specification is at

rage is a Rust implementation of the age tool. It is pronounced like the Japanese らげ (with a hard g).

To discuss the spec or other age related topics, please email the mailing list at age was designed by @Benjojo12 and @FiloSottile.

The reference interoperable Golang implementation is available at


Usage: rage [OPTIONS] [INPUT]

Positional arguments:
  INPUT                      file to read input from (default stdin)

Optional arguments:
  -h, --help                 print help message
  -d, --decrypt              decrypt the input (default is to encrypt)
  -p, --passphrase           use a passphrase instead of public keys
  --max-work-factor WF       maximum work factor to allow for passphrase decryption
  -a, --armor                create ASCII armored output (default is age binary format)
  -r, --recipient RECIPIENT  recipient to encrypt to (may be repeated)
  -i, --identity IDENTITY    identity to decrypt with (may be repeated)
  -o, --output OUTPUT        output to OUTPUT (default stdout)

Multiple recipients

Files can be encrypted to multiple recipients by repeating -r/--recipient. Every recipient will be able to decrypt the file.

$ rage -o example.png.age -r age1uvscypafkkxt6u2gkguxet62cenfmnpc0smzzlyun0lzszfatawq4kvf2u \
    -r age1ex4ty8ppg02555at009uwu5vlk5686k3f23e7mac9z093uvzfp8sxr5jum example.png


Files can be encrypted with a passphrase by using -p/--passphrase. By default rage will automatically generate a secure passphrase.

$ rage -p -o example.png.age example.png
Type passphrase (leave empty to autogenerate a secure one): [hidden]
Using an autogenerated passphrase:
$ rage -d -p example.png.age >example.png
Type passphrase: [hidden]

SSH keys

As a convenience feature, rage also supports encrypting to ssh-rsa and ssh-ed25519 SSH public keys, and decrypting with the respective private key file. (ssh-agent is not supported.)

$ cat ~/.ssh/
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZDRcvS8PnhXr30WKSKmf7WKKi92ACUa5nW589WukJz
$ rage -r "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZDRcvS8PnhXr30WKSKmf7WKKi92ACUa5nW589WukJz" example.png > example.png.age
$ rage -d -i ~/.ssh/id_ed25519 example.png.age > example.png

ssh-rsa support is currently behind the unstable feature flag.

Note that SSH key support employs more complex cryptography, and embeds a public key tag in the encrypted file, making it possible to track files that are encrypted to a specific public key.


On Windows, Linux, and macOS, you can use the pre-built binaries.

The rage suite of tools are provided in the age Rust crate. If your system has Rust 1.37+ installed (either via rustup or a system package), you can build directly from source:

cargo install age

You can also use the age crate directly as a library, by adding this line to your Cargo.toml (which disables the CLI tools):

age = { version = "0.2", default-features = false }

Help from new packagers is very welcome.

Feature flags

  • cli enables the rage and rage-keygen tools, and is enabled by default.

  • mount enables the rage-mount tool, which can mount age-encrypted TAR or ZIP archives as read-only. It is currently only usable on Unix systems, as it relies on libfuse.

  • unstable enables in-development functionality. Anything behind this feature flag has no stability or interoperability guarantees.


Licensed under either of

at your option.


Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

You can’t perform that action at this time.