rage: The Rust age Implementation
rage is a compatible Rust port of age; files encrypted by one decrypt with the other, using nearly identical flags.
If your runner ships rage instead of the Go age binary, the commands are the same. rage packages the key generator as rage-keygen and adds a few conveniences.
What it does
rage encrypts and decrypts files in the age format. It reads the same age1... recipients and identity files as Go age, so a blob produced by age -e decrypts with rage -d and vice versa.
Common usage
rage-keygen -o key.txt
rage -e -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
-a -o secrets.age secrets.env
rage -d -i key.txt -o secrets.env secrets.ageOptions
| Flag | What it does |
|---|---|
| -e / -d | Encrypt or decrypt (same as age) |
| -r, --recipient <key> | Recipient public key (repeatable) |
| -i, --identity <file> | Identity (private key) file for decryption |
| -a, --armor | ASCII-armored output |
| -p, --passphrase | Use a passphrase instead of keys |
In CI
rage and age are interchangeable for the file format, so you can encrypt locally with age and decrypt on the runner with rage if that is what the image has. Check rage --version in a setup step if a script assumes one binary.
Common errors in CI
"command not found: rage" simply means the image ships the Go age binary as age; call that instead. Errors mirror age: "no identity matched any of the recipients" for a wrong key, and "failed to read header: unexpected EOF" for a truncated file.