Skip to content
Latchkey

age-keygen: Generate an age Key Pair

age-keygen generates a new age identity (private key) and prints the matching public recipient to stderr.

You run age-keygen once to make a key pair: commit the public key as a recipient and store the private key as a CI secret. -y later recovers the public key from a private key.

What it does

age-keygen generates an X25519 key pair. By default it writes the identity to stdout and prints the public key line to stderr. With -o it writes the identity to a file. With -y it reads an identity file and prints its public key.

Common usage

Terminal
age-keygen -o key.txt
# Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# recover the public key from an existing identity
age-keygen -y key.txt

Options

FlagWhat it does
-o, --output <file>Write the identity to a file (mode 600)
-yRead an identity file and print only its public key

In CI

Generate keys locally, not in the pipeline. Store key.txt contents in a secret and reference the age1... public key in your encrypt step. To derive the recipient for sops config, age-keygen -y key.txt avoids hardcoding it in two places.

Common errors in CI

"age-keygen: warning: writing secret key to a world-readable file" prints when stdout is not a terminal and you did not use -o; redirect to a file and chmod 600, or use -o which sets 600. "age-keygen: error: no identity found in input" from -y means the file is a public key or empty, not an identity.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →