In this article I want to share a method to use your SSH keypair to encrypt messages. We are going to use age in Ubuntu 24.04.
The installation guide can be found in the official repo.
Limitations
Before we start with usage, let me share some limitations. Not all SSH key types are suited for encryption - even tho there seem to be workarounds. In a Github comment it was mentioned by ‘str4d’ that sk-* SSH keys won’t work as they only provide support for authentication.
The same seems to be the case for ECDSA (Elliptic Curve Digital Signature Algorithm) SSH keys as I got the following error message while testing:
age: warning: recipients file "./age-testing.pub": ignoring unsupported SSH key of type "ecdsa-sha2-nistp521" at line 1
In this article I’ll be working with EdDSA-ed25519 and RSA SSH keys.
# RSA (Rivest–Shamir–Adleman):
ssh-keygen -t rsa -b 4096 -f ~/.ssh/nameofthekey
# EdDSA ed25519:
ssh-keygen -t ed25519 -f ~/.ssh/nameofthekey
Additionally, the ssh-agent is not supported.
Usage
Common use cases are to encrypt data to allow you to store ore transfer it securly in an untrusted or unknwon environment. You can make sure that only recipients with the right private key can decrypt the files, messages, or whatever.
age Examples
Used version:
age --version
1.1.1
Encryption of a simple string with SSH public key:
echo "Cheers" | age -R ./second-try.pub > cheers.txt
Encrypted content:
cat cheers.txt
age-encryption.org/v1
-> ssh-ed25519 7uu5gg 4ivp9LPXTVu6ryrhuSskhL5A3RuQWL8XAg5mxbx6v0s
kGJzFPj2TiwrvrWmVonCsGcWeYmQ7qsV5WXNrf6c0H0
--- Rr+SI6g+73XM6R3CTa7WVp4eEDBgdmZMlsjhHihwjz4
Decrypt file with SSH private key:
cat cheers.txt | age -d -i ./second-try
Cheers
To encrypt files, we build upon the example from the official documentation:
tar cvz ./data | age -R ./second-try.pub | base64 > data.tar.gz.age
./data/
./data/random-video.mp4
Remove the source files:
rm -r ./data
Decrypt files:
cat data.tar.gz.age | base64 --decode | age -d -i ./second-try | tar xzv
./data/
./data/random-video.mp4
Side Note: I’ll use base64 encoding to make it more compatible with more services as some tools might not like the binary encoding.
Multiple recipients
age allows you to encrypt for multiple recipients which can decrypt it individually, which is great for a team or some automation and syncing.
Simply use multiple -r/--recipient flags - which requires the public key in the command or simply add the public keys to a file and use -R - one key per line.
Official documentation:
cat recipients.txt
# Alice
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# Bob
age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
age -R recipients.txt example.jpg > example.jpg.age
Share:
E-Mail hello@ittavern.com
Most recent Articles: