Skip to content
Latchkey

age -e -r: Encrypt Files to a Recipient

age -e -r encrypts stdin or a file to the given age public key so only the matching private key can decrypt it.

age is a small, modern file encryption tool. In CI you usually encrypt a secrets file to a recipient public key committed in the repo, then decrypt it on the runner with a key from the environment.

What it does

age -e encrypts its input; -r names a recipient public key (starts with age1...). You can pass -r multiple times or use -R to read recipients from a file. Output is binary unless you add -a for ASCII armor.

Common usage

Terminal
age -e -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
  -o secrets.env.age secrets.env
# multiple recipients, armored, from a file of keys
age -e -R recipients.txt -a -o secrets.age secrets.env

Options

FlagWhat it does
-e, --encryptEncrypt the input (the default action)
-r, --recipient <key>Recipient public key (repeatable)
-R, --recipients-file <f>Read recipient keys from a file, one per line
-a, --armorWrite ASCII-armored (PEM-like) output
-p, --passphraseEncrypt with a passphrase instead of a key
-o, --output <file>Write to a file instead of stdout

In CI

Commit the recipient public key(s) and the encrypted blob; keep the private key in a secret. Use -a so the ciphertext is text-safe in the repo. If input comes from a pipe, age reads stdin, so cat secrets.env | age -e -r ... works too.

Common errors in CI

"age: error: -p/--passphrase can't be combined with -r/--recipient" means you passed both a passphrase and a recipient; pick one. "age: error: no identities specified" appears when you accidentally run decrypt mode. "malformed recipient" means the age1... key is truncated or has a stray newline; check the committed key file.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →