# Encryption using SSH Keys with age in Linux In this article I want to share a method to use your SSH keypair to encrypt messages. We are going to use [age](https://github.com/FiloSottile/age) in Ubuntu 24.04. The **installation guide** can be found in [the official repo](https://github.com/FiloSottile/age?tab=readme-ov-file#installation). --- ## Limitations Before we start with usage, let me share some limitations. Not all SSH key types are suited for encryption - even tho there seem to be workarounds. In a [Github comment](https://github.com/str4d/rage/issues/272#issuecomment-970193691) it was mentioned by 'str4d' that `sk-* SSH keys` won't work as they only provide support for authentication. The same seems to be the case for **ECDSA** (Elliptic Curve Digital Signature Algorithm) SSH keys as I got the following error message while testing: `age: warning: recipients file "./age-testing.pub": ignoring unsupported SSH key of type "ecdsa-sha2-nistp521" at line 1` --- **In this article I'll be working with EdDSA-ed25519 and RSA SSH keys.** ```bash # RSA (Rivest–Shamir–Adleman): ssh-keygen -t rsa -b 4096 -f ~/.ssh/nameofthekey # EdDSA ed25519: ssh-keygen -t ed25519 -f ~/.ssh/nameofthekey ``` Additionally, the `ssh-agent` is **[not](https://github.com/FiloSottile/age?tab=readme-ov-file#ssh-keys)** supported. --- ## Usage Common use cases are to encrypt data to allow you to store ore transfer it securly in an untrusted or unknwon environment. You can make sure that only recipients with the right private key can decrypt the files, messages, or whatever. --- ### Simple Examples Used version: ```bash age --version 1.1.1 ``` **Encryption of a simple string with SSH public key:** ```bash echo "Cheers" | age -R ~/.ssh/id_ssh.pub > cheers.txt ``` Encrypted content: ```bash cat cheers.txt age-encryption.org/v1 -> ssh-ed25519 7uu5gg 4ivp9LPXTVu6ryrhuSskhL5A3RuQWL8XAg5mxbx6v0s kGJzFPj2TiwrvrWmVonCsGcWeYmQ7qsV5WXNrf6c0H0 --- Rr+SI6g+73XM6R3CTa7WVp4eEDBgdmZMlsjhHihwjz4 ``` Decrypt file with SSH private key: ```bash cat cheers.txt | age -d -i ~/.ssh/id_ssh Cheers ``` --- **To encrypt files**, we build upon the example from the official documentation: ```bash tar cvz ./data | age -R ~/.ssh/id_ssh.pub | base64 > data.tar.gz.age ./data/ ./data/random-video.mp4 ``` Remove the source files: ```bash rm -r ./data ``` Decrypt files: ```bash cat data.tar.gz.age | base64 --decode | age -d -i ~/.ssh/id_ssh | tar xzv ./data/ ./data/random-video.mp4 ``` **Side Note:** I'll use `base64` encoding to make it more compatible with more services as some tools might not like the binary encoding. **Addition:** Instead of the `base64` encoding, you could use `a, --armor` to have a more compatible format like this: ```bash # Encryption tar cvz ./data | age -a -R ~/.ssh/id_ssh.pub > data.tar.gz.armor.age # Format head -5 data.tar.gz.armor.age -----BEGIN AGE ENCRYPTED FILE----- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd1dTVnZyBjL0Zo eTJUWDdDR0YzdzdjdDJEZjVxV0NRS1kxMlJWZEt5Y1hONGp4OHljCmJCdjBrUWlZ QitTcC9Na1BDV2NCbHJsSlhaVHRJMElJMkJxUVdSd3ZFRjAKLS0tIGdSRHJFRVBV NkFFbjNTbStBLzg0THJCM0lCMHdKbzhvRS9YemhISlRUY0kKK7Cxnu172NVbpBaa # Decryption cat data.tar.gz.armor.age | age -d -i ~/.ssh/id_ssh | tar xzv ``` [Thank you technomancy for pointing it out!](https://lobste.rs/s/vt2gjb/encryption_using_ssh_keys_with_age_linux) --- ### Practical Example There a multiple CLI paste service that allow you to share configs, error messages, and so on. Examples are [0x0.st](https://0x0.st/) or [linedump.com](https://linedump.com/). Encrypting the payload makes sure that nobody else can read the content. **Upload** String: : `echo "Cheers" | age -R ~/.ssh/id_ssh.pub | base64 | curl -X POST --data-binary @- https://linedump.com` File: : `age -R ~/.ssh/id_ssh.pub -o - file.txt | base64 | curl -X POST --data-binary @- https://linedump.com` Command: : `ip -br a | age -R ~/.ssh/id_ssh.pub | base64 | curl -X POST --data-binary @- https://linedump.com` **Download** Save to file: : `curl -s https://linedump.com/{paste_id} | base64 -d | age -d -i ~/.ssh/id_ssh > output3.txt` **Side Notes**: A disclaimer: Linedump is a project of mine which was one reason to look into the encryption with SSH keypairs for some automation. --- ### Multiple recipients `age` allows you to encrypt for multiple recipients which can decrypt it individually, which is great for a team or some automation and syncing. Simply use multiple `-r/--recipient` flags - which requires the public key in the command or simply add the public keys to a file and use `-R` - one key per line. Official documentation: ```bash cat recipients.txt # Alice age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p # Bob age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg age -R recipients.txt example.jpg > example.jpg.age ```