Skip to content

despair86/cage

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

cage

cage is a simple, modern and secure file encryption tool.

It features small explicit keys, no config options, and UNIX-style composability. This is a C89 compliant implementation of the age spec.

UNDER CONSTRUCTION

currently only the cage-keygen is available, this will change soon:tm:.

$ cage-keygen -o key.txt
Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
$ tar cvz ~/data | cage -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age
$ cage -d -i key.txt data.tar.gz.age > data.tar.gz

The format specification is at age-encryption.org/v1. To discuss the spec or other age related topics, please email the mailing list at [email protected]. age was designed by @Benjojo12 and @FiloSottile.

An alternative interoperable Rust implementation is available at github.com/str4d/rage.

The reference implementation in Go is at github.com/FiloSottile/age.

Usage

Usage:
    cage -r RECIPIENT [-a] [-o OUTPUT] [INPUT]
    cage --decrypt [-i KEY] [-o OUTPUT] [INPUT]

Options:
    -o, --output OUTPUT         Write the result to the file at path OUTPUT.
    -a, --armor                 Encrypt to a PEM encoded format.
    -p, --passphrase            Encrypt with a passphrase.
    -r, --recipient RECIPIENT   Encrypt to the specified RECIPIENT. Can be repeated.
    -d, --decrypt               Decrypt the input to the output.
    -i, --identity KEY          Use the private key file at path KEY. Can be repeated.

INPUT defaults to standard input, and OUTPUT defaults to standard output.

RECIPIENT can be an age public key, as generated by [cr]age-keygen, ("age1...")
or a SSH public key ("ssh-ed25519 AAAA...", "ssh-rsa AAAA...").

KEY is a path to a file with age secret keys, one per line
(ignoring "#" prefixed comments and empty lines), or to a SSH key file.
Multiple keys can be provided, and any unused ones will be ignored.

Multiple recipients

Files can be encrypted to multiple recipients by repeating -r/--recipient. Every recipient will be able to decrypt the file.

$ cage -o example.jpg.age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
    -r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg example.jpg

Passphrases

Files can be encrypted with a passphrase by using -p/--passphrase. By default cage will automatically generate a secure passphrase. Passphrase protected files are automatically detected at decrypt time.

$ cage -p secrets.txt > secrets.txt.age
Enter passphrase (leave empty to autogenerate a secure one):
Using the autogenerated passphrase "release-response-step-brand-wrap-ankle-pair-unusual-sword-train".
$ cage -d secrets.txt.age > secrets.txt
Enter passphrase:

SSH keys

As a convenience feature, cage also supports encrypting to ssh-rsa and ssh-ed25519 SSH public keys, and decrypting with the respective private key file. (ssh-agent is not supported.)

$ cat ~/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZDRcvS8PnhXr30WKSKmf7WKKi92ACUa5nW589WukJz [email protected]
$ cage -r "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZDRcvS8PnhXr30WKSKmf7WKKi92ACUa5nW589WukJz" example.jpg > example.jpg.age
$ cage -d -i ~/.ssh/id_ed25519 example.jpg.age > example.jpg

Note that SSH key support employs more complex cryptography, and embeds a public key tag in the encrypted file, making it possible to track files that are encrypted to a specific public key.

Installation

You can build from source:

git clone https://github.com/despair86/cage.git && cd cage
mkdir build; cd build
cmake ..
make

Any C89 C compilation system should work without issues.

This implementation of the age v1 spec in C is issued under the terms of the zlib-libpng licence.

Releases

No releases published

Packages

No packages published