age is a file encryption tool, library, and format. It lets you encrypt files to "recipients" and decrypt them with "identities". $ age-keygen -o key.txt Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p $ tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age $ age –decrypt -i key.txt data.tar.gz.age > data.tar.gz You can encrypt a file to multiple recipients and decrypt it with any of the corresponding identities. There are built-in recipients for public keys and for password encryption, but age supports third-party recipient types at the format, library, and tool levels. These recipient implementations can offer alternative algorithms, support for specific hardware, or even make use of remote APIs such as cloud KMS. That's the one "joint" in age, which otherwise aims for having no configurability. At the format level, an age file starts with a header that includes "stanzas" each encrypting the file key to different recipients. The specification requires ignoring unrecognized stanzas, so third-party ones can coexist with native ones.[1] Here's for example the header of a file encrypted to both a native public key recipient, and to a YubiKey. Note the two stanzas, introduced by ->. age-encryption.org/v1 -> piv-p256 OIF48w A7onGmpObHNfTCVLkq0QA4r4GJmzQLc6aVMAZVhrdbKb SZwqyoXyHDOkoIJqYvxbo2p6j6tLVHMurkLivzYFDm0 -> X25519 z2pytFfcbnyl/ARKy1VA1W7P41Otn4ei7dNnWkf/iWw…Read More