Skip to content
Latchkey

age -d -i: Decrypt With an Identity File

age -d decrypts an age-encrypted file using the private key supplied with -i, or a passphrase if the file was passphrase-encrypted.

On a runner you decrypt the committed blob with a private key that lives only in a secret. Write the key to a temp file (or pass it on stdin) and point -i at it.

What it does

age -d decrypts its input. -i (identity) supplies the private key file; you can pass -i multiple times and age tries each. For passphrase-encrypted files, omit -i and age prompts (or reads AGE-based stdin).

Common usage

Terminal
age -d -i key.txt -o secrets.env secrets.env.age
# identity from an environment secret, no file on disk
printf '%s' "$AGE_KEY" | age -d -i - secrets.env.age > secrets.env

Options

FlagWhat it does
-d, --decryptDecrypt the input
-i, --identity <file>Private key (identity) file; use - for stdin (repeatable)
-o, --output <file>Write plaintext to a file instead of stdout
-j <plugin>Use an age plugin identity (e.g. yubikey)

In CI

Reading the identity from stdin with -i - keeps the private key off disk. If you must write it to a file, put it in $RUNNER_TEMP and chmod 600, then delete it in a cleanup step.

Common errors in CI

"age: error: no identity matched any of the recipients" means the private key does not correspond to any recipient the file was encrypted to; you decrypted with the wrong key. "age: error: reading identity file: read: is a directory" means -i points at a directory. "unexpected EOF" or "not a valid age file" means the blob is corrupt or was armored/de-armored inconsistently.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →