rage 0.6.1

[BETA] A simple, secure, and modern encryption tool.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159

# rage: Rust implementation of age

rage is a simple, modern, and secure file encryption tool, using the *age*
format. It features small explicit keys, no config options, and UNIX-style
composability.

The format specification is at [age-encryption.org/v1](https://age-encryption.org/v1).
To discuss the spec or other age related topics, please email
[the mailing list](https://groups.google.com/d/forum/age-dev) at
age-dev@googlegroups.com. age was designed by
[@Benjojo12](https://twitter.com/Benjojo12) and
[@FiloSottile](https://twitter.com/FiloSottile).

The reference interoperable Golang implementation is available at
[filippo.io/age](https://filippo.io/age).

## Usage

```
Usage:
  rage [--encrypt] -r RECIPIENT [-i IDENTITY] [-a] [-o OUTPUT] [INPUT]
  rage --decrypt [-i IDENTITY] [-o OUTPUT] [INPUT]

Positional arguments:
  INPUT                       Path to a file to read from.

Optional arguments:
  -h, --help                  Print this help message and exit.
  -V, --version               Print version info and exit.
  -e, --encrypt               Encrypt the input (the default).
  -d, --decrypt               Decrypt the input.
  -p, --passphrase            Encrypt with a passphrase instead of recipients.
  --max-work-factor WF        Maximum work factor to allow for passphrase decryption.
  -a, --armor                 Encrypt to a PEM encoded format.
  -r, --recipient RECIPIENT   Encrypt to the specified RECIPIENT. May be repeated.
  -R, --recipients-file PATH  Encrypt to the recipients listed at PATH. May be repeated.
  -i, --identity IDENTITY     Use the identity file at IDENTITY. May be repeated.
  -o, --output OUTPUT         Write the result to the file at path OUTPUT.

INPUT defaults to standard input, and OUTPUT defaults to standard output.

RECIPIENT can be:
- An age public key, as generated by rage-keygen ("age1...").
- An SSH public key ("ssh-ed25519 AAAA...", "ssh-rsa AAAA...").

PATH is a path to a file containing age recipients, one per line
(ignoring "#" prefixed comments and empty lines).

IDENTITY is a path to a file with age identities, one per line
(ignoring "#" prefixed comments and empty lines), or to an SSH key file.
Multiple identities may be provided, and any unused ones will be ignored.
```

### Multiple recipients

Files can be encrypted to multiple recipients by repeating `-r/--recipient`.
Every recipient will be able to decrypt the file.

```bash
$ rage -o example.png.age -r age1uvscypafkkxt6u2gkguxet62cenfmnpc0smzzlyun0lzszfatawq4kvf2u \
    -r age1ex4ty8ppg02555at009uwu5vlk5686k3f23e7mac9z093uvzfp8sxr5jum example.png
```

#### Recipient files

Multiple recipients can also be listed one per line in one or more files passed
with the `-R/--recipients-file` flag.

```
$ cat recipients.txt
# Alice
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# Bob
age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
$ rage -R recipients.txt example.jpg > example.jpg.age
```

### Passphrases

Files can be encrypted with a passphrase by using `-p/--passphrase`. By default
rage will automatically generate a secure passphrase.

```bash
$ rage -p -o example.png.age example.png
Type passphrase (leave empty to autogenerate a secure one): [hidden]
Using an autogenerated passphrase:
    kiwi-general-undo-bubble-dwarf-dizzy-fame-side-sunset-sibling
$ rage -d example.png.age >example.png
Type passphrase: [hidden]
```

### SSH keys

As a convenience feature, rage also supports encrypting to `ssh-rsa` and
`ssh-ed25519` SSH public keys, and decrypting with the respective private key
file. (`ssh-agent` is not supported.)

```
$ rage -R ~/.ssh/id_ed25519.pub example.png > example.png.age
$ rage -d -i ~/.ssh/id_ed25519 example.png.age > example.png
```

Note that SSH key support employs more complex cryptography, and embeds a public
key tag in the encrypted file, making it possible to track files that are
encrypted to a specific public key.

## Installation

On macOS or Linux, you can use Homebrew:

```
brew tap str4d.xyz/rage https://str4d.xyz/rage
brew install rage
```

On Windows, Linux, and macOS, you can use the
[pre-built binaries](https://github.com/str4d/rage/releases).

If your system has Rust 1.47+ installed (either via `rustup` or a system
package), you can build directly from source:

```
cargo install rage
```

> Note: previously the `rage` suite of tools was provided in the `age` Rust
> crate. This is no longer the case; `age` now only contains the Rust library.

Help from new packagers is very welcome.

### Feature flags

- `mount` enables the `rage-mount` tool, which can mount age-encrypted TAR or
  ZIP archives as read-only. It is currently only usable on Unix systems, as it
  relies on `libfuse`.

- `ssh` (enabled by default) enables support for reusing existing SSH key files
  for age encryption.

- `unstable` enables in-development functionality. Anything behind this feature
  flag has no stability or interoperability guarantees.

## License

Licensed under either of

 * Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or
   http://www.apache.org/licenses/LICENSE-2.0)
 * MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT)

at your option.

### Contribution

Unless you explicitly state otherwise, any contribution intentionally
submitted for inclusion in the work by you, as defined in the Apache-2.0
license, shall be dual licensed as above, without any additional terms or
conditions.