Starting with Rage on OpenSUSE

Starting with Rage on OpenSUSE

Rage is a rust implementation of Age, a modern, simple and secure file encryption tool. It is easier to use than other tools like GPG, and being written in a memory safe language it avoids many of the exploits that may occur in C based tools.

Installing Rage

You can install rage on leap or tumbleweed from zypper

zypper install rage-encryption

Alternately you can install from cargo with

cargo install rage

Key management

The recipient must generate a key. This can be either a rage key, or an ssh key which is of the form ssh-rsa or ssh-ed25519.

# The public key is displayed.
rage-keygen -o ~/rage.key
# age1y2lc7x59jcqvrpf3ppmnj3f93ytaegfkdnl5vrdyv83l8ekcae4sexgwkg

To use ssh keys, you can generate a key with:

ssh-keygen -t ed25519
# cat /root/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1kWXiYIn/VWzo0DlnIp3cRx/kZd6d9WbwehKJpPx1R

Encrypting to a public key

You encrypt a file to the owner of the public key with:

rage -e -r <pub key> -o <encrypted output> <input>
# With their rage public key.
rage -e -r age1y2lc7x59jcqvrpf3ppmnj3f93ytaegfkdnl5vrdyv83l8ekcae4sexgwkg -o ~/encyrpted.age data

Alternately, if you want to allow the content of the encrypted file to be base64 for emailing (note the -a):

rage -e -a -r <pub key> -o <encrypted output> <input>
# With their rage public key.
rage -e -a -r age1y2lc7x59jcqvrpf3ppmnj3f93ytaegfkdnl5vrdyv83l8ekcae4sexgwkg \
    -o ~/encyrpted.age data

# cat /tmp/encrypted
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByaDNTNHR0dlI5RkRudmpH
NEUrT1RrQ3pZdjM5alRVYThDeG5xdTBxd1EwCjYxVGkwV05ibXlWeUN3MWVuNTBC
Qk1SdEwyd3J1RjgrNVkxem5pbHJscVEKLT4gTyI7WFQtZ3JlYXNlIEZDXyBiICFV
NgpoTlJ5ME95azMycE5GbS9oS0h6a280RlRTRHNKbE9mMGZjTmFCUjB6aWEwZGxU
Rjg1RkZmdkhBSkU4Y1dZdEM3CjV0VXl4dE5Qd3E0SU1GSXNIejQKLS0tIFhscDBn
MlBiTmxPekthY1RabVcxN0JkQnJsd3RKUkpTKzRkelZ1eDFXSk0KHzCOyBZHPe/P
cV3Fez6yusycXcm83Bt+N2yHTG2utOGxfmIxb5c=
-----END AGE ENCRYPTED FILE-----

The ssh public key can be encrypted to if the public key is in a file

rage -e -a -R <path to public key> -o <encrypted output> <input>
# Using the ssh public key in a file
rage -e -a -R ~/id_ed25519.pub -o /tmp/ssh-encrypted data

Decrypting a file

The recipient can then decrypt with:

rage -d -i <path to private key> -o <decrypted output> <encrypted input>

rage -d -i ~/rage.key -o /tmp/decrypted /tmp/encrypted

# cat /tmp/decrypted
hello

With an ssh private key

rage -d -i <path to ssh private key> -o <decrypted output> <encrypted input>

rage -d -i ~/.ssh/id_ed25519 -o /tmp/ssh-decrypted /tmp/ssh-encrypted

Encrypt to multiple recipients

Rage can encrypt to multiple identities at a time.

rage -e -a -R <first ssh pub key> -R <second pub key> ... -o <encrypted output> <input>
rage -e -a -r <first pub key> -r <second pub key> ... -o <encrypted output> <input>
rage -e -a -R <first ssh pub key> -r <first rage pub key> ... -o <encrypted output> <input>

rage -e -a -R /root/.ssh/id_ed25519.pub \
    -r age1h8equ4vs5pyp8ykw0z8m9n8m3psy6swme52ztth0v66frgu65ussm8gq0t \
    -r age1y2lc7x59jcqvrpf3ppmnj3f93ytaegfkdnl5vrdyv83l8ekcae4sexgwkg \
    -o /tmp/ssh-encrypted hello

all of the associated keys can decrypt this file.

rage -d -i /root/.ssh/id_ed25519 -o /tmp/ssh-decrypted /tmp/ssh-encrypted

rage -d -i ~/rage.key -o /tmp/decrypted /tmp/ssh-encrypted

Using a passphrase instead of a key

Rage can encrypt with a passphrase:

rage -e -p -o <encrypted output> <input>

rage -e -p -o /tmp/passphrase-encrypted data

Decrypted with (passphrase is detected and prompted for):

rage -d -o <decrypted output> <encrypted input> 

rage -d -o /tmp/decrypted /tmp/passphrase-encrypted