age-keygen: Generate an age Key Pair
age-keygen generates a new age identity (private key) and prints the matching public recipient to stderr.
You run age-keygen once to make a key pair: commit the public key as a recipient and store the private key as a CI secret. -y later recovers the public key from a private key.
What it does
age-keygen generates an X25519 key pair. By default it writes the identity to stdout and prints the public key line to stderr. With -o it writes the identity to a file. With -y it reads an identity file and prints its public key.
Common usage
age-keygen -o key.txt
# Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# recover the public key from an existing identity
age-keygen -y key.txtOptions
| Flag | What it does |
|---|---|
| -o, --output <file> | Write the identity to a file (mode 600) |
| -y | Read an identity file and print only its public key |
In CI
Generate keys locally, not in the pipeline. Store key.txt contents in a secret and reference the age1... public key in your encrypt step. To derive the recipient for sops config, age-keygen -y key.txt avoids hardcoding it in two places.
Common errors in CI
"age-keygen: warning: writing secret key to a world-readable file" prints when stdout is not a terminal and you did not use -o; redirect to a file and chmod 600, or use -o which sets 600. "age-keygen: error: no identity found in input" from -y means the file is a public key or empty, not an identity.