January 25, 2026

Encrypting Files with age

I wanted to keep recovery codes and other sensitive notes on my computer without leaving them as plain text. This is a short beginner-friendly note on encrypting files from the command line with age.

Encryption
age

Note: I am doing this on macOS, and this is written from a beginner’s point of view.

Installing age

brew install age

age is implemented in Go. There is also a Rust implementation called rage, but for this first attempt I used the original age command.

Encryption

The basic shape of the command is:

age [options] [input file]

Option	Short	Meaning
`--encrypt`	`-e`	Encrypts the input. This is the default, so it can be omitted.
`--decrypt`	`-d`	Decrypts an encrypted file.
`--passphrase`	`-p`	Uses a passphrase instead of a recipient key. Useful when you do not want to manage a key file.
`--recipient`	`-r`	Encrypts for a recipient public key. Multiple recipients are possible.
`--recipients-file`	`-R`	Reads recipients from a file.
`--identity`	`-i`	Uses your private identity file when decrypting.
`--output`	`-o`	Writes the output to a file instead of stdout.
`--armor`	`-a`	Outputs text-armored data rather than binary data. This is convenient for pasting into mail or chat.
`--suffix`		Automatically adds a suffix such as `.age` to the output filename.

Encryption command

age -e -p -a [input file]

If you run this as-is, the encrypted text is printed to the terminal. Usually you want to redirect it:

age -p -a [input file] > [encrypted file]

-e can be omitted because encryption is the default behavior.

Decryption command

age -d [encrypted file] > [original file]

Trying it

Create a file named test.txt:

abc

Then run:

age -p -a test.txt

You will be prompted for a password, and the terminal will print encrypted text like this:

-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNjcnlwdCBveGdjRUhNUVZBTGNKeUFX
NnZpL0tnIDE4Cng2U0FvRnNjT0JCcitiVElEMXJmNEhDR0hwVG1qSElBZjl6NTlI
d3IvNUUKLS0tIHk2VnNGelZzT1A3TWUrcFA4V2MvUU1DMXNydWx0NHVjZDZBRlVL
NHdYdjAKqZIEK/mL/0kH0pFguLkAzSk0kyvEb7nbczGUEgu2+Xb5fvE=
-----END AGE ENCRYPTED FILE-----

To save it:

age -p -a test.txt > out.txt

To decrypt it:

age -d out.txt

This prints the original contents. To restore it to a file:

age -d out.txt > restored.txt

Encrypting multiple files together

age encrypts one input stream. If you want to encrypt several files together, first archive them with tar, then encrypt the archive.

tar command

tar -czf secrets.tar.gz file1.txt file2.txt folder/

This creates a compressed archive named secrets.tar.gz.

To extract it:

tar -xzf secrets.tar.gz

Encrypting the archive

tar -czf secrets.tar.gz file1.txt file2.txt folder/
age -p -a secrets.tar.gz > secrets.tar.gz.age

To decrypt and extract:

age -d secrets.tar.gz.age > secrets.tar.gz
tar -xzf secrets.tar.gz

This is a simple workflow, but it is enough for keeping small recovery-code files or private notes out of plain text.

Installing age#

Encryption#

Encryption command#

Decryption command#

Trying it#

Encrypting multiple files together#

tar command#

Encrypting the archive#