ssh-to-age 0.2.0

Convert OpenSSH Ed25519 keys to age encryption keys.
Documentation

๐Ÿ” ssh-to-age

Convert SSH Ed25519 keys to age keys. This is useful for usage in sops-nix and sops.

This crate fills a gap in the Rust ecosystem: there is currently no Rust-native library to convert Ed25519 SSH keys into age compatible X25519 keys.
Crate like rage, doesn't convert my ssh key as exepected.
With this, you can reuse your existing SSH keypair for encryption โ€” no need to manage a separate key just for age.

๐Ÿง  Why?

Age supports encrypting to X25519 public keys. Since SSH Ed25519 keys are widely supported and already in use, this library converts them into age-compatible X25519 keys:

  • โœ… Ed25519 keys are compact, secure, and already in use for SSH.
  • โœ… Age uses X25519, a related elliptic curve, for encryption.
  • ๐Ÿ”„ This library converts Ed25519 to X25519 using proper cryptographic primitives.

Age can derive an encryption key from that public key, avoiding the need to manage yet another keypair.

๐Ÿ” What is Ed25519?

Ed25519 is a signature scheme based on the Edwards form of Curve25519. It is used for signing and is known for its speed and security.

๐Ÿ“ฆ What is age?

age is a modern, simple, and secure file encryption tool โ€” a user-friendly alternative to GPG.

๐Ÿ“ƒ What does this library do?

  • โœ… Parses OpenSSH Ed25519 private and public keys
  • ๐Ÿ” Converts them to age-compatible X25519 keys
  • ๐Ÿงพ Returns them in the correct Bech32m format (age1..., AGE-SECRET-KEY-...)
  • ๐Ÿ› ๏ธ Easily integrable in Rust projects

๐Ÿš€ Example Use Case

For use in sops-nix, where age recipients are typically stored in your Nix config:

sops.age.keyFile = "/path/to/your/AGE-SECRET-KEY-...";

Instead of generating a new age key, just convert your existing SSH key.

๐Ÿค Acknowledgements

This rust lib is inspired by the excellent work done by Mic92 and his repositorie ssh-to-age.

Let me know if you have any suggestion.