age -e -r: Encrypt Files to a Recipient
age -e -r encrypts stdin or a file to the given age public key so only the matching private key can decrypt it.
age is a small, modern file encryption tool. In CI you usually encrypt a secrets file to a recipient public key committed in the repo, then decrypt it on the runner with a key from the environment.
What it does
age -e encrypts its input; -r names a recipient public key (starts with age1...). You can pass -r multiple times or use -R to read recipients from a file. Output is binary unless you add -a for ASCII armor.
Common usage
age -e -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
-o secrets.env.age secrets.env
# multiple recipients, armored, from a file of keys
age -e -R recipients.txt -a -o secrets.age secrets.envOptions
| Flag | What it does |
|---|---|
| -e, --encrypt | Encrypt the input (the default action) |
| -r, --recipient <key> | Recipient public key (repeatable) |
| -R, --recipients-file <f> | Read recipient keys from a file, one per line |
| -a, --armor | Write ASCII-armored (PEM-like) output |
| -p, --passphrase | Encrypt with a passphrase instead of a key |
| -o, --output <file> | Write to a file instead of stdout |
In CI
Commit the recipient public key(s) and the encrypted blob; keep the private key in a secret. Use -a so the ciphertext is text-safe in the repo. If input comes from a pipe, age reads stdin, so cat secrets.env | age -e -r ... works too.
Common errors in CI
"age: error: -p/--passphrase can't be combined with -r/--recipient" means you passed both a passphrase and a recipient; pick one. "age: error: no identities specified" appears when you accidentally run decrypt mode. "malformed recipient" means the age1... key is truncated or has a stray newline; check the committed key file.