Skip to content
Latchkey

rage: The Rust age Implementation

rage is a compatible Rust port of age; files encrypted by one decrypt with the other, using nearly identical flags.

If your runner ships rage instead of the Go age binary, the commands are the same. rage packages the key generator as rage-keygen and adds a few conveniences.

What it does

rage encrypts and decrypts files in the age format. It reads the same age1... recipients and identity files as Go age, so a blob produced by age -e decrypts with rage -d and vice versa.

Common usage

Terminal
rage-keygen -o key.txt
rage -e -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
  -a -o secrets.age secrets.env
rage -d -i key.txt -o secrets.env secrets.age

Options

FlagWhat it does
-e / -dEncrypt or decrypt (same as age)
-r, --recipient <key>Recipient public key (repeatable)
-i, --identity <file>Identity (private key) file for decryption
-a, --armorASCII-armored output
-p, --passphraseUse a passphrase instead of keys

In CI

rage and age are interchangeable for the file format, so you can encrypt locally with age and decrypt on the runner with rage if that is what the image has. Check rage --version in a setup step if a script assumes one binary.

Common errors in CI

"command not found: rage" simply means the image ships the Go age binary as age; call that instead. Errors mirror age: "no identity matched any of the recipients" for a wrong key, and "failed to read header: unexpected EOF" for a truncated file.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →