Age Encryption

Introduction ¶

Age – a new utility, written in Go, that supposedly performs excellent asymmetric encryption and more. Indeed, it looks simple and somewhat reminds me of Wireguard (utility wg). It encrypts the input stream to the output stream. Simple and understandable. Among its distinguishing features is the ability to encrypt for a group of recipients, so each can decrypt. Today’s task was to create backups btrfs disk partitions with home photos/video somewhere in the cloud, e.g., Backblaze, to save money. This is just not good enough (no trust in clouds). Data needs to be encrypted.

A 300 GiB partition and loading it in one piece, then storing it as a whole is very uninteresting. Split will help divide the file into chunks.

Generating Key ¶

It’s claimed that you can use a simple SSH public key instead of Age keys. Let’s try both ways.

1
2
3
4
ssh-keygen -t ed25519 -o -a 150 -qN '' -f id_ed25519
age-keygen -o age.key
age-keygen -y age.key > recipients.txt
cat id_ed25519.pub >> recipients.txt

We get such keys.

1
2
age1qrcn5glms66thfv9cj5pzdwl3z87t9evzaqlxdj9ksravmw3mypswawuag
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIObk2OuhYlrr3ezvf5gAWXgUdcLn4XQFa8B8GCRpBr9q user@host

Encryption ¶

For simplicity, let’s generate 10 MiB of random data and immediately compare the hash sums.

1
2
dd if=/dev/urandom of=data bs=1M count=10
cp data data.orig

Now we can encrypt. Using both archiving and splitting.

1
tar -cz data | age -R recipients.txt | split -b 1MiB -d - chunk-

We get 10 files from chunk-00 to chunk-10.

Decryption ¶

Decrypting using SSH key.

1
2
cat chunk-* | age -d -i id_ed25519 | tar xz
mv data data.ssh

Decrypting using Age key.

1
2
cat chunk-* | age -d -i age.key | tar xz
mv data data.age

Verification ¶

Checking the hash sums.

1
2
3
4
# sha256sum data*
5ebc271a22cfb9af0430253c2d8f3b83d1c3f5fdd062dd0ecc6c1f2d7925b828  data.age
5ebc271a22cfb9af0430253c2d8f3b83d1c3f5fdd062dd0ecc6c1f2d7925b828  data.orig
5ebc271a22cfb9af0430253c2d8f3b83d1c3f5fdd062dd0ecc6c1f2d7925b828  data.ssh

It works. As always, later we’ll find vulnerabilities, but you can use it.