Age is a simple, modern and secure file encryption tool, format, and Go library

Original Article ↗ Hacker News Discussion ↗

Ecosystem and integrations

  • Age has a growing ecosystem: Rust implementation (rage), TypeScript implementation, YubiKey plugin, Windows GUI, Emacs integration, and a password-store replacement.
  • A curated list of third‑party tools and an official spec and test suite exist, enabling multiple interoperable implementations.

NixOS and secrets management

  • Age plus tools like agenix (and nix-sops) are widely used to manage NixOS secrets while keeping the Nix store world‑readable.
  • Secrets are committed encrypted in Git alongside configuration; servers just need the private key to decrypt on activation.
  • This reduces the number of “out‑of‑band” secrets to mainly SSH keys and allows secrets/config changes to be tracked together.
  • There are tools to generate secrets on the fly and to rekey stored secrets.

Comparison to other tools

  • SOPS, git-crypt, Ansible’s vault, and Kubernetes-focused setups are discussed as alternatives. Some prefer SOPS for team scaling; some dislike YAML-heavy workflows.
  • Age is seen as much simpler and more pleasant than GPG/PGP, but it intentionally omits signing and key/cert management.
  • A modern PGP implementation (sq/Sequoia) is mentioned as attractive for people who need full signing/auth and interoperability.
  • Another tool, Kryptor, claims stronger metadata hiding and post‑quantum properties; age’s maintainer responds with a detailed comparison, noting differing goals.

Security properties and debates

  • Age uses modern, standard cryptography and has a public format spec. Multiple commenters emphasize it is not “specless.”
  • It provides authenticated encryption, but sender authentication and signatures are treated as separate concerns, recommended to be handled by tools like minisign/signify.
  • There is nuanced discussion about combining encryption and signing (sign‑then‑encrypt vs encrypt‑then‑sign vs signcryption) and about “surreptitious forwarding.”
  • Topics like post‑quantum security, key commitment, size padding, and indistinguishability from random are discussed; age deliberately trades off some properties for simplicity and UX, with padding planned for a future version.
  • Some criticize marketing it as “secure” without third‑party audits; others argue the maintainer’s credentials and open spec/code are strong signals, and meaningful crypto audits are rare and specialized.

Usability, deployment, and backups

  • Age is praised for intuitive CLI design and being easy to pair with hardware keys and password managers.
  • Some wish age (and tools like jq) were standard on Unix systems; others note modern package managers make installation easy.
  • For backups, several people suggest using specialized tools like restic or borg; however, tar → age → cloud is considered acceptable for small/simple use cases, with the trade‑off of no deduplication or backup metadata.