Crate age

source ·
Expand description

Library for encrypting and decrypting age files

This crate implements file encryption according to the age-encryption.org/v1 specification. It generates and consumes encrypted files that are compatible with the rage CLI tool, as well as the reference Go implementation.

The encryption and decryption APIs are provided by Encryptor and Decryptor. There are several ways to use these:

Age-encrypted files are binary and non-malleable. To encode them as text, use the wrapping readers and writers in the armor module, behind the armor feature flag.

Caution: all crate versions prior to 1.0 are beta releases for testing purposes only.

§Examples

§Recipient-based encryption

use std::io::{Read, Write};
use std::iter;

let key = age::x25519::Identity::generate();
let pubkey = key.to_public();

let plaintext = b"Hello world!";

// Encrypt the plaintext to a ciphertext...
let encrypted = {
    let encryptor = age::Encryptor::with_recipients(vec![Box::new(pubkey)])
        .expect("we provided a recipient");

    let mut encrypted = vec![];
    let mut writer = encryptor.wrap_output(&mut encrypted)?;
    writer.write_all(plaintext)?;
    writer.finish()?;

    encrypted
};

// ... and decrypt the obtained ciphertext to the plaintext again.
let decrypted = {
    let decryptor = match age::Decryptor::new(&encrypted[..])? {
        age::Decryptor::Recipients(d) => d,
        _ => unreachable!(),
    };

    let mut decrypted = vec![];
    let mut reader = decryptor.decrypt(iter::once(&key as &dyn age::Identity))?;
    reader.read_to_end(&mut decrypted);

    decrypted
};

assert_eq!(decrypted, plaintext);

§Passphrase-based encryption

use age::secrecy::Secret;
use std::io::{Read, Write};

let plaintext = b"Hello world!";
let passphrase = "this is not a good passphrase";

// Encrypt the plaintext to a ciphertext using the passphrase...
let encrypted = {
    let encryptor = age::Encryptor::with_user_passphrase(Secret::new(passphrase.to_owned()));

    let mut encrypted = vec![];
    let mut writer = encryptor.wrap_output(&mut encrypted)?;
    writer.write_all(plaintext)?;
    writer.finish()?;

    encrypted
};

// ... and decrypt the ciphertext to the plaintext again using the same passphrase.
let decrypted = {
    let decryptor = match age::Decryptor::new(&encrypted[..])? {
        age::Decryptor::Passphrase(d) => d,
        _ => unreachable!(),
    };

    let mut decrypted = vec![];
    let mut reader = decryptor.decrypt(&Secret::new(passphrase.to_owned()), None)?;
    reader.read_to_end(&mut decrypted);

    decrypted
};

assert_eq!(decrypted, plaintext);

Re-exports§

Modules§

  • I/O helper structs for the age ASCII armor format.
  • cli_commoncli-common
    Common helpers for CLI binaries.
  • Decryptors for age.
  • The “encrypted age identity file” identity type.
  • pluginplugin
    Support for the age plugin system.
  • sshssh
    The “ssh-rsa” and “ssh-ed25519” recipient types, which allow reusing existing SSH keys for encryption with age-encryption.org/v1.
  • I/O helper structs for age file encryption and decryption.
  • The “x25519” recipient type, native to age.

Structs§

  • Encryptor for creating an age file.
  • A list of identities that has been parsed from some input file.

Enums§

Traits§

  • Callbacks that might be triggered during encryption or decryption.
  • A private key or other value that can unwrap an opaque file key from a recipient stanza.
  • A public key or other value that can wrap an opaque file key to a recipient stanza.

Functions§