cf7/ittavern.com
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions
ittavern.com/items/2025-10-26_long_encryption-using-ssh-keys-with-age-in-linux.md
CaffeineFueled 3484b45045
init - PoC
2025-10-27 20:12:00 +01:00

160 lines
4.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Encryption using SSH Keys with age in Linux
In this article I want to share a method to use your SSH keypair to encrypt messages. We are going to use [age](https://github.com/FiloSottile/age) in Ubuntu 24.04.
The **installation guide** can be found in [the official repo](https://github.com/FiloSottile/age?tab=readme-ov-file#installation).
---
## Limitations
Before we start with usage, let me share some limitations. Not all SSH key types are suited for encryption - even tho there seem to be workarounds. In a [Github comment](https://github.com/str4d/rage/issues/272#issuecomment-970193691) it was mentioned by 'str4d' that `sk-* SSH keys` won't work as they only provide support for authentication.
The same seems to be the case for **ECDSA** (Elliptic Curve Digital Signature Algorithm) SSH keys as I got the following error message while testing:
`age: warning: recipients file "./age-testing.pub": ignoring unsupported SSH key of type "ecdsa-sha2-nistp521" at line 1`
---
**In this article I'll be working with EdDSA-ed25519 and RSA SSH keys.**
```bash
# RSA (RivestShamirAdleman):
ssh-keygen -t rsa -b 4096 -f ~/.ssh/nameofthekey
# EdDSA ed25519:
ssh-keygen -t ed25519 -f ~/.ssh/nameofthekey
```
Additionally, the `ssh-agent` is **[not](https://github.com/FiloSottile/age?tab=readme-ov-file#ssh-keys)** supported.
---
## Usage
Common use cases are to encrypt data to allow you to store ore transfer it securly in an untrusted or unknwon environment. You can make sure that only recipients with the right private key can decrypt the files, messages, or whatever.
---
### Simple Examples
Used version:
```bash
age --version
1.1.1
```
**Encryption of a simple string with SSH public key:**
```bash
echo "Cheers" | age -R ~/.ssh/id_ssh.pub > cheers.txt
```
Encrypted content:
```bash
cat cheers.txt
age-encryption.org/v1
-> ssh-ed25519 7uu5gg 4ivp9LPXTVu6ryrhuSskhL5A3RuQWL8XAg5mxbx6v0s
kGJzFPj2TiwrvrWmVonCsGcWeYmQ7qsV5WXNrf6c0H0
--- Rr+SI6g+73XM6R3CTa7WVp4eEDBgdmZMlsjhHihwjz4
```
Decrypt file with SSH private key:
```bash
cat cheers.txt | age -d -i ~/.ssh/id_ssh
Cheers
```
---
**To encrypt files**, we build upon the example from the official documentation:
```bash
tar cvz ./data | age -R ~/.ssh/id_ssh.pub | base64 > data.tar.gz.age
./data/
./data/random-video.mp4
```
Remove the source files:
```bash
rm -r ./data
```
Decrypt files:
```bash
cat data.tar.gz.age | base64 --decode | age -d -i ~/.ssh/id_ssh | tar xzv
./data/
./data/random-video.mp4
```
**Side Note:** I'll use `base64` encoding to make it more compatible with more services as some tools might not like the binary encoding.
**Addition:** Instead of the `base64` encoding, you could use `a, --armor` to have a more compatible format like this:
```bash
# Encryption
tar cvz ./data | age -a -R ~/.ssh/id_ssh.pub > data.tar.gz.armor.age
# Format
head -5 data.tar.gz.armor.age
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDd1dTVnZyBjL0Zo
eTJUWDdDR0YzdzdjdDJEZjVxV0NRS1kxMlJWZEt5Y1hONGp4OHljCmJCdjBrUWlZ
QitTcC9Na1BDV2NCbHJsSlhaVHRJMElJMkJxUVdSd3ZFRjAKLS0tIGdSRHJFRVBV
NkFFbjNTbStBLzg0THJCM0lCMHdKbzhvRS9YemhISlRUY0kKK7Cxnu172NVbpBaa
# Decryption
cat data.tar.gz.armor.age | age -d -i ~/.ssh/id_ssh | tar xzv
```
[Thank you technomancy for pointing it out!](https://lobste.rs/s/vt2gjb/encryption_using_ssh_keys_with_age_linux)
---
### Practical Example
There a multiple CLI paste service that allow you to share configs, error messages, and so on. Examples are [0x0.st](https://0x0.st/) or [linedump.com](https://linedump.com/).
Encrypting the payload makes sure that nobody else can read the content.
**Upload**
String:
: `echo "Cheers" | age -R ~/.ssh/id_ssh.pub | base64 | curl -X POST --data-binary @- https://linedump.com`
File:
: `age -R ~/.ssh/id_ssh.pub -o - file.txt | base64 | curl -X POST --data-binary @- https://linedump.com`
Command:
: `ip -br a | age -R ~/.ssh/id_ssh.pub | base64 | curl -X POST --data-binary @- https://linedump.com`
**Download**
Save to file:
: `curl -s https://linedump.com/{paste_id} | base64 -d | age -d -i ~/.ssh/id_ssh > output3.txt`
**Side Notes**: A disclaimer: Linedump is a project of mine which was one reason to look into the encryption with SSH keypairs for some automation.
---
### Multiple recipients
`age` allows you to encrypt for multiple recipients which can decrypt it individually, which is great for a team or some automation and syncing.
Simply use multiple `-r/--recipient` flags - which requires the public key in the command or simply add the public keys to a file and use `-R` - one key per line.
Official documentation:
```bash
cat recipients.txt
# Alice
age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# Bob
age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
age -R recipients.txt example.jpg > example.jpg.age
```
Reference in a new issue View git blame Copy permalink