cmd/age: allow reading both passphrase and input from a terminal

Fixes #196
Closes #258

.github/workflows/ronn.yml

@@ -0,0 +1,33 @@
+on:
+  push:
+    branches:
+      - '**'
+    paths:
+      - '**.ronn'
+name: Generate man pages
+jobs:
+  ronn:
+    runs-on: ubuntu-latest
+    name: Ronn
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Run ronn
+        uses: ./.github/workflows/ronn
+        id: ronn
+      - name: Undo email mangling
+        # rdiscount randomizes the output for no good reason, which causes
+        # changes to always get committed. Sigh.
+        # https://github.com/davidfstr/rdiscount/blob/6b1471ec3/ext/generate.c#L781-L795
+        run: |-
+          for f in doc/*.html; do
+            awk '/Filippo Valsorda/ { $0 = "<p>Filippo Valsorda <a href=\"mailto:age@filippo.io\" data-bare-link=\"true\">age@filippo.io</a></p>" } { print }' "$f" > "$f.tmp"
+            mv "$f.tmp" "$f"
+          done
+      - name: Commit and push if changed
+        run: |-
+          git config user.name "GitHub Actions"
+          git config user.email "actions@users.noreply.github.com"
+          git add -A
+          git commit -m "doc: regenerate groff and html man pages" || exit 0
+          git push

.github/workflows/ronn/Dockerfile

@@ -0,0 +1,8 @@
+FROM ruby:3.0.1-buster
+
+RUN apt-get update && apt-get install -y groff
+RUN bundle config --global frozen 1
+COPY Gemfile Gemfile.lock ./
+RUN bundle install
+ENTRYPOINT ["bash", "-O", "globstar", "-c", \
+    "/usr/local/bundle/bin/ronn **/*.ronn"]

.github/workflows/ronn/Gemfile

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gem "ronn", "~> 0.7.3"

.github/workflows/ronn/Gemfile.lock

@@ -0,0 +1,20 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    hpricot (0.8.6)
+    mustache (1.1.1)
+    rdiscount (2.2.0.2)
+    ronn (0.7.3)
+      hpricot (>= 0.8.2)
+      mustache (>= 0.7.0)
+      rdiscount (>= 1.5.8)
+
+PLATFORMS
+  aarch64-linux
+  x86_64-linux
+
+DEPENDENCIES
+  ronn (~> 0.7.3)
+
+BUNDLED WITH
+   2.2.15

.github/workflows/ronn/action.yml

@@ -0,0 +1,4 @@
+name: Ronn
+runs:
+  using: docker
+  image: Dockerfile

HomebrewFormula/age.rb

@@ -16,5 +16,7 @@ class Age < Formula
     mkdir bin
     system "go", "build", "-trimpath", "-o", bin, "-ldflags", "-X main.Version=v#{version}", "filippo.io/age/cmd/..."
     prefix.install_metafiles
+    man1.install "doc/age.1"
+    man1.install "doc/age-keygen.1"
   end
 end

age.go

@@ -35,6 +35,16 @@
 // encryption operations. If you need to tie into existing key management
 // infrastructure, you might want to consider implementing your own Recipient
 // and Identity.
+//
+// Backwards compatibility
+//
+// Files encrypted with a stable version (not alpha, beta, or release candidate)
+// of age, or with any v1.0.0 beta or release candidate, will decrypt with any
+// later versions of the v1 API. This might change in v2, in which case v1 will
+// be maintained with security fixes for compatibility with older files.
+//
+// If decrypting an older file poses a security risk, doing so might require an
+// explicit opt-in in the API.
 package age
 
 import (
@@ -168,9 +178,6 @@ func Decrypt(src io.Reader, identities ...Identity) (io.Reader, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed to read header: %v", err)
 	}
-	if len(hdr.Recipients) > 20 {
-		return nil, errors.New("too many recipients")
-	}
 
 	for _, r := range hdr.Recipients {
 		if r.Type == "scrypt" && len(hdr.Recipients) != 1 {

agessh/agessh.go

@@ -65,6 +65,9 @@ func NewRSARecipient(pk ssh.PublicKey) (*RSARecipient, error) {
 	} else {
 		return nil, errors.New("pk does not implement ssh.CryptoPublicKey")
 	}
+	if r.pubKey.Size() < 2048/8 {
+		return nil, errors.New("RSA key size is too small")
+	}
 	return r, nil
 }
 

agessh/agessh_test.go

@@ -19,7 +19,7 @@ import (
 )
 
 func TestSSHRSARoundTrip(t *testing.T) {
-	pk, err := rsa.GenerateKey(rand.Reader, 768)
+	pk, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		t.Fatal(err)
 	}

armor/armor.go

@@ -28,7 +28,7 @@ const (
 
 type armoredWriter struct {
 	started, closed bool
-	encoder         io.WriteCloser
+	encoder         *format.WrappedBase64Encoder
 	dst             io.Writer
 }
 
@@ -50,15 +50,20 @@ func (a *armoredWriter) Close() error {
 	if err := a.encoder.Close(); err != nil {
 		return err
 	}
-	_, err := io.WriteString(a.dst, "\n"+Footer+"\n")
+	footer := Footer + "\n"
+	if !a.encoder.LastLineIsEmpty() {
+		footer = "\n" + footer
+	}
+	_, err := io.WriteString(a.dst, footer)
 	return err
 }
 
 func NewWriter(dst io.Writer) io.WriteCloser {
 	// TODO: write a test with aligned and misaligned sizes, and 8 and 10 steps.
-	return &armoredWriter{dst: dst,
-		encoder: base64.NewEncoder(base64.StdEncoding.Strict(),
-			format.NewlineWriter(dst))}
+	return &armoredWriter{
+		dst:     dst,
+		encoder: format.NewWrappedBase64Encoder(base64.StdEncoding, dst),
+	}
 }
 
 type armoredReader struct {

armor/armor_test.go

@@ -8,6 +8,7 @@ package armor_test
 
 import (
 	"bytes"
+	"crypto/rand"
 	"encoding/pem"
 	"fmt"
 	"io"
@@ -18,6 +19,7 @@ import (
 
 	"filippo.io/age"
 	"filippo.io/age/armor"
+	"filippo.io/age/internal/format"
 )
 
 func ExampleNewWriter() {
@@ -87,9 +89,15 @@ kB/RRusYjn+KVJ+KTioxj0THtzZPXcjFKuQ1
 }
 
 func TestArmor(t *testing.T) {
+	t.Run("PartialLine", func(t *testing.T) { testArmor(t, 611) })
+	t.Run("FullLine", func(t *testing.T) { testArmor(t, 10*format.BytesPerLine) })
+}
+
+func testArmor(t *testing.T, size int) {
 	buf := &bytes.Buffer{}
 	w := armor.NewWriter(buf)
-	plain := make([]byte, 611)
+	plain := make([]byte, size)
+	rand.Read(plain)
 	if _, err := w.Write(plain); err != nil {
 		t.Fatal(err)
 	}
@@ -101,9 +109,18 @@ func TestArmor(t *testing.T) {
 	if block == nil {
 		t.Fatal("PEM decoding failed")
 	}
+	if len(block.Headers) != 0 {
+		t.Error("unexpected headers")
+	}
+	if block.Type != "AGE ENCRYPTED FILE" {
+		t.Errorf("unexpected type %q", block.Type)
+	}
 	if !bytes.Equal(block.Bytes, plain) {
 		t.Error("PEM decoded value doesn't match")
 	}
+	if !bytes.Equal(buf.Bytes(), pem.EncodeToMemory(block)) {
+		t.Error("PEM re-encoded value doesn't match")
+	}
 
 	r := armor.NewReader(buf)
 	out, err := ioutil.ReadAll(r)

cmd/age-keygen/keygen.go

@@ -27,7 +27,7 @@ Options:
     -o, --output OUTPUT       Write the result to the file at path OUTPUT.
     -y                        Convert an identity file to a recipients file.
 
-age-keygen generates a new standard X25519 key pair, and outputs it to
+age-keygen generates a new native X25519 key pair, and outputs it to
 standard output or to the OUTPUT file.
 
 If an OUTPUT file is specified, the public key is printed to standard error.
@@ -94,16 +94,14 @@ func main() {
 		if err != nil {
 			log.Fatalf("Failed to open output file %q: %v", outFlag, err)
 		}
-		defer f.Close()
+		defer func() {
+			if err := f.Close(); err != nil {
+				log.Fatalf("Failed to close output file %q: %v", outFlag, err)
+			}
+		}()
 		out = f
 	}
 
-	if fi, err := out.Stat(); err == nil {
-		if fi.Mode().IsRegular() && fi.Mode().Perm()&0004 != 0 {
-			fmt.Fprintf(os.Stderr, "Warning: writing secret key to a world-readable file.\n")
-		}
-	}
-
 	in := os.Stdin
 	if inFile := flag.Arg(0); inFile != "" && inFile != "-" {
 		f, err := os.Open(inFile)
@@ -117,6 +115,9 @@ func main() {
 	if convertFlag {
 		convert(in, out)
 	} else {
+		if fi, err := out.Stat(); err == nil && fi.Mode().IsRegular() && fi.Mode().Perm()&0004 != 0 {
+			fmt.Fprintf(os.Stderr, "Warning: writing secret key to a world-readable file.\n")
+		}
 		generate(out)
 	}
 }

cmd/age/age.go

@@ -184,7 +184,11 @@ func main() {
 	}
 	if name := outFlag; name != "" && name != "-" {
 		f := newLazyOpener(name)
-		defer f.Close()
+		defer func() {
+			if err := f.Close(); err != nil {
+				logFatalf("Error: failed to close output file %q: %v", name, err)
+			}
+		}()
 		out = f
 	} else if terminal.IsTerminal(int(os.Stdout.Fd())) {
 		if name != "-" {

cmd/age/encrypted_keys.go

@@ -45,15 +45,15 @@ func (i *LazyScryptIdentity) Unwrap(stanzas []*age.Stanza) (fileKey []byte, err
 	return fileKey, err
 }
 
-// stdinInUse is set in main. It's a singleton like os.Stdin.
-var stdinInUse bool
-
+// readPassphrase reads a passphrase from the terminal. If stdin is not
+// connected to a terminal, it tries /dev/tty and fails if that's not available.
+// It does not read from a non-terminal stdin, so it does not check stdinInUse.
 func readPassphrase() ([]byte, error) {
 	fd := int(os.Stdin.Fd())
-	if !terminal.IsTerminal(fd) || stdinInUse {
+	if !terminal.IsTerminal(fd) {
 		tty, err := os.Open("/dev/tty")
 		if err != nil {
-			return nil, fmt.Errorf("standard input is not available or not a terminal, and opening /dev/tty failed: %v", err)
+			return nil, fmt.Errorf("standard input is not a terminal, and opening /dev/tty failed: %v", err)
 		}
 		defer tty.Close()
 		fd = int(tty.Fd())

cmd/age/parse.go

@@ -22,6 +22,9 @@ import (
 	"golang.org/x/crypto/ssh"
 )
 
+// stdinInUse is set in main. It's a singleton like os.Stdin.
+var stdinInUse bool
+
 func parseRecipient(arg string) (age.Recipient, error) {
 	switch {
 	case strings.HasPrefix(arg, "age1"):

doc/age-keygen.1

@@ -0,0 +1,88 @@
+.\" generated with Ronn/v0.7.3
+.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.
+.TH "AGE\-KEYGEN" "1" "October 2021" "" ""
+.
+.SH "NAME"
+\fBage\-keygen\fR \- generate age(1) key pairs
+.
+.SH "SYNOPSIS"
+\fBage\-keygen\fR [\fB\-o\fR \fIOUTPUT\fR]
+.
+.br
+\fBage\-keygen\fR \fB\-y\fR [\fB\-o\fR \fIOUTPUT\fR] [\fIINPUT\fR]
+.
+.br
+.
+.SH "DESCRIPTION"
+\fBage\-keygen\fR generates a new native age(1) key pair, and outputs the identity to standard output or to the \fIOUTPUT\fR file\. The output includes the public key and the current time as comments\.
+.
+.P
+If the output is not going to a terminal, \fBage\-keygen\fR prints the public key to standard error\.
+.
+.SH "OPTIONS"
+.
+.TP
+\fB\-o\fR, \fB\-\-output\fR=\fIOUTPUT\fR
+Write the identity to \fIOUTPUT\fR instead of standard output\.
+.
+.IP
+If \fIOUTPUT\fR already exists, it is not overwritten\.
+.
+.TP
+\fB\-y\fR
+Read an identity file from \fIINPUT\fR or from standard input and output the corresponding recipient(s), one per line, with no comments\.
+.
+.TP
+\fB\-\-version\fR
+Print the version and exit\.
+.
+.SH "EXAMPLES"
+Generate a new identity:
+.
+.IP "" 4
+.
+.nf
+
+$ age\-keygen
+# created: 2021\-01\-02T15:30:45+01:00
+# public key: age1lvyvwawkr0mcnnnncaghunadrqkmuf9e6507x9y920xxpp866cnql7dp2z
+AGE\-SECRET\-KEY\-1N9JEPW6DWJ0ZQUDX63F5A03GX8QUW7PXDE39N8UYF82VZ9PC8UFS3M7XA9
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Write a new identity to \fBkey\.txt\fR:
+.
+.IP "" 4
+.
+.nf
+
+$ age\-keygen \-o key\.txt
+Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Convert an identity to a recipient:
+.
+.IP "" 4
+.
+.nf
+
+$ age\-keygen \-y key\.txt
+age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
+.
+.fi
+.
+.IP "" 0
+.
+.SH "SEE ALSO"
+age(1)
+.
+.SH "AUTHORS"
+Filippo Valsorda \fIage@filippo\.io\fR

doc/age-keygen.1.html

@@ -0,0 +1,141 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta http-equiv='content-type' value='text/html;charset=utf8'>
+  <meta name='generator' value='Ronn/v0.7.3 (http://github.com/rtomayko/ronn/tree/0.7.3)'>
+  <title>age-keygen(1) - generate age(1) key pairs</title>
+  <style type='text/css' media='all'>
+  /* style: man */
+  body#manpage {margin:0}
+  .mp {max-width:100ex;padding:0 9ex 1ex 4ex}
+  .mp p,.mp pre,.mp ul,.mp ol,.mp dl {margin:0 0 20px 0}
+  .mp h2 {margin:10px 0 0 0}
+  .mp > p,.mp > pre,.mp > ul,.mp > ol,.mp > dl {margin-left:8ex}
+  .mp h3 {margin:0 0 0 4ex}
+  .mp dt {margin:0;clear:left}
+  .mp dt.flush {float:left;width:8ex}
+  .mp dd {margin:0 0 0 9ex}
+  .mp h1,.mp h2,.mp h3,.mp h4 {clear:left}
+  .mp pre {margin-bottom:20px}
+  .mp pre+h2,.mp pre+h3 {margin-top:22px}
+  .mp h2+pre,.mp h3+pre {margin-top:5px}
+  .mp img {display:block;margin:auto}
+  .mp h1.man-title {display:none}
+  .mp,.mp code,.mp pre,.mp tt,.mp kbd,.mp samp,.mp h3,.mp h4 {font-family:monospace;font-size:14px;line-height:1.42857142857143}
+  .mp h2 {font-size:16px;line-height:1.25}
+  .mp h1 {font-size:20px;line-height:2}
+  .mp {text-align:justify;background:#fff}
+  .mp,.mp code,.mp pre,.mp pre code,.mp tt,.mp kbd,.mp samp {color:#131211}
+  .mp h1,.mp h2,.mp h3,.mp h4 {color:#030201}
+  .mp u {text-decoration:underline}
+  .mp code,.mp strong,.mp b {font-weight:bold;color:#131211}
+  .mp em,.mp var {font-style:italic;color:#232221;text-decoration:none}
+  .mp a,.mp a:link,.mp a:hover,.mp a code,.mp a pre,.mp a tt,.mp a kbd,.mp a samp {color:#0000ff}
+  .mp b.man-ref {font-weight:normal;color:#434241}
+  .mp pre {padding:0 4ex}
+  .mp pre code {font-weight:normal;color:#434241}
+  .mp h2+pre,h3+pre {padding-left:0}
+  ol.man-decor,ol.man-decor li {margin:3px 0 10px 0;padding:0;float:left;width:33%;list-style-type:none;text-transform:uppercase;color:#999;letter-spacing:1px}
+  ol.man-decor {width:100%}
+  ol.man-decor li.tl {text-align:left}
+  ol.man-decor li.tc {text-align:center;letter-spacing:4px}
+  ol.man-decor li.tr {text-align:right;float:right}
+  </style>
+</head>
+<!--
+  The following styles are deprecated and will be removed at some point:
+  div#man, div#man ol.man, div#man ol.head, div#man ol.man.
+
+  The .man-page, .man-decor, .man-head, .man-foot, .man-title, and
+  .man-navigation should be used instead.
+-->
+<body id='manpage'>
+  <div class='mp' id='man'>
+
+  <div class='man-navigation' style='display:none'>
+    <a href="#NAME">NAME</a>
+    <a href="#SYNOPSIS">SYNOPSIS</a>
+    <a href="#DESCRIPTION">DESCRIPTION</a>
+    <a href="#OPTIONS">OPTIONS</a>
+    <a href="#EXAMPLES">EXAMPLES</a>
+    <a href="#SEE-ALSO">SEE ALSO</a>
+    <a href="#AUTHORS">AUTHORS</a>
+  </div>
+
+  <ol class='man-decor man-head man head'>
+    <li class='tl'>age-keygen(1)</li>
+    <li class='tc'></li>
+    <li class='tr'>age-keygen(1)</li>
+  </ol>
+
+  <h2 id="NAME">NAME</h2>
+<p class="man-name">
+  <code>age-keygen</code> - <span class="man-whatis">generate <a class="man-ref" href="age.1.html">age<span class="s">(1)</span></a> key pairs</span>
+</p>
+
+<h2 id="SYNOPSIS">SYNOPSIS</h2>
+
+<p><code>age-keygen</code> [<code>-o</code> <var>OUTPUT</var>]<br />
+<code>age-keygen</code> <code>-y</code> [<code>-o</code> <var>OUTPUT</var>] [<var>INPUT</var>]<br /></p>
+
+<h2 id="DESCRIPTION">DESCRIPTION</h2>
+
+<p><code>age-keygen</code> generates a new native <a class="man-ref" href="age.1.html">age<span class="s">(1)</span></a> key pair, and outputs the identity to
+standard output or to the <var>OUTPUT</var> file. The output includes the public key and
+the current time as comments.</p>
+
+<p>If the output is not going to a terminal, <code>age-keygen</code> prints the public key to
+standard error.</p>
+
+<h2 id="OPTIONS">OPTIONS</h2>
+
+<dl>
+<dt><code>-o</code>, <code>--output</code>=<var>OUTPUT</var></dt><dd><p>  Write the identity to <var>OUTPUT</var> instead of standard output.</p>
+
+<p>  If <var>OUTPUT</var> already exists, it is not overwritten.</p></dd>
+<dt class="flush"><code>-y</code></dt><dd><p>  Read an identity file from <var>INPUT</var> or from standard input and output the
+  corresponding recipient(s), one per line, with no comments.</p></dd>
+<dt><code>--version</code></dt><dd><p>  Print the version and exit.</p></dd>
+</dl>
+
+
+<h2 id="EXAMPLES">EXAMPLES</h2>
+
+<p>Generate a new identity:</p>
+
+<pre><code>$ age-keygen
+# created: 2021-01-02T15:30:45+01:00
+# public key: age1lvyvwawkr0mcnnnncaghunadrqkmuf9e6507x9y920xxpp866cnql7dp2z
+AGE-SECRET-KEY-1N9JEPW6DWJ0ZQUDX63F5A03GX8QUW7PXDE39N8UYF82VZ9PC8UFS3M7XA9
+</code></pre>
+
+<p>Write a new identity to <code>key.txt</code>:</p>
+
+<pre><code>$ age-keygen -o key.txt
+Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
+</code></pre>
+
+<p>Convert an identity to a recipient:</p>
+
+<pre><code>$ age-keygen -y key.txt
+age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
+</code></pre>
+
+<h2 id="SEE-ALSO">SEE ALSO</h2>
+
+<p><a class="man-ref" href="age.1.html">age<span class="s">(1)</span></a></p>
+
+<h2 id="AUTHORS">AUTHORS</h2>
+
+<p>Filippo Valsorda <a href="mailto:age@filippo.io" data-bare-link="true">age@filippo.io</a></p>
+
+
+  <ol class='man-decor man-foot man foot'>
+    <li class='tl'></li>
+    <li class='tc'>October 2021</li>
+    <li class='tr'>age-keygen(1)</li>
+  </ol>
+
+  </div>
+</body>
+</html>

doc/age-keygen.1.ronn

@@ -0,0 +1,57 @@
+age-keygen(1) -- generate age(1) key pairs
+====================================================
+
+## SYNOPSIS
+
+`age-keygen` [`-o` <OUTPUT>]<br>
+`age-keygen` `-y` [`-o` <OUTPUT>] [<INPUT>]<br>
+
+## DESCRIPTION
+
+`age-keygen` generates a new native age(1) key pair, and outputs the identity to
+standard output or to the <OUTPUT> file. The output includes the public key and
+the current time as comments.
+
+If the output is not going to a terminal, `age-keygen` prints the public key to
+standard error.
+
+## OPTIONS
+
+* `-o`, `--output`=<OUTPUT>:
+    Write the identity to <OUTPUT> instead of standard output.
+    
+    If <OUTPUT> already exists, it is not overwritten.
+
+* `-y`:
+    Read an identity file from <INPUT> or from standard input and output the
+    corresponding recipient(s), one per line, with no comments.
+
+* `--version`:
+    Print the version and exit.
+
+## EXAMPLES
+
+Generate a new identity:
+
+    $ age-keygen
+    # created: 2021-01-02T15:30:45+01:00
+    # public key: age1lvyvwawkr0mcnnnncaghunadrqkmuf9e6507x9y920xxpp866cnql7dp2z
+    AGE-SECRET-KEY-1N9JEPW6DWJ0ZQUDX63F5A03GX8QUW7PXDE39N8UYF82VZ9PC8UFS3M7XA9
+
+Write a new identity to `key.txt`:
+
+    $ age-keygen -o key.txt
+    Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
+
+Convert an identity to a recipient:
+
+    $ age-keygen -y key.txt
+    age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
+
+## SEE ALSO
+
+age(1)
+
+## AUTHORS
+
+Filippo Valsorda <age@filippo.io>

doc/age.1

@@ -0,0 +1,296 @@
+.\" generated with Ronn/v0.7.3
+.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.
+.TH "AGE" "1" "October 2021" "" ""
+.
+.SH "NAME"
+\fBage\fR \- simple, modern, and secure file encryption
+.
+.SH "SYNOPSIS"
+\fBage\fR [\fB\-\-encrypt\fR] (\fB\-r\fR \fIRECIPIENT\fR | \fB\-R\fR \fIPATH\fR)\.\.\. [\fB\-\-armor\fR] [\fB\-o\fR \fIOUTPUT\fR] [\fIINPUT\fR]
+.
+.br
+\fBage\fR [\fB\-\-encrypt\fR] \fB\-\-passphrase\fR [\fB\-\-armor\fR] [\fB\-o\fR \fIOUTPUT\fR] [\fIINPUT\fR]
+.
+.br
+\fBage\fR \fB\-\-decrypt\fR [\fB\-i\fR \fIPATH\fR]\.\.\. [\fB\-o\fR \fIOUTPUT\fR] [\fIINPUT\fR]
+.
+.br
+.
+.SH "DESCRIPTION"
+\fBage\fR encrypts or decrypts \fIINPUT\fR to \fIOUTPUT\fR\. The \fIINPUT\fR argument is optional and defaults to standard input\. Only a single \fIINPUT\fR file may be specified\. If \fB\-o\fR is not specified, \fIOUTPUT\fR defaults to standard output\.
+.
+.P
+If \fB\-\-passphrase\fR is specified, the file is encrypted with a passphrase requested interactively\. Otherwise, it\'s encrypted to one or more \fIRECIPIENTS\fR specified with \fB\-r\fR/\fB\-\-recipient\fR or \fB\-R\fR/\fB\-\-recipients\-file\fR\. Every recipient can decrypt the file\.
+.
+.P
+In \fB\-\-decrypt\fR mode, passphrase\-encrypted files are detected automatically and the passphrase is requested interactively\. Otherwise, one or more \fIIDENTITIES\fR specified with \fB\-i\fR/\fB\-\-identity\fR are used to decrypt the file\.
+.
+.P
+\fBage\fR encrypted files are binary and not malleable, with around 200 bytes of overhead per recipient, plus 16 bytes every 64KiB of plaintext\.
+.
+.SH "OPTIONS"
+.
+.TP
+\fB\-o\fR, \fB\-\-output\fR=\fIOUTPUT\fR
+Write encrypted or decrypted file to \fIOUTPUT\fR instead of standard output\. If \fIOUTPUT\fR already exists it will be overwritten\.
+.
+.IP
+If encrypting without \fB\-\-armor\fR, \fBage\fR will refuse to output binary to a TTY\. This can be forced by specifying \fB\-\fR as \fIOUTPUT\fR\.
+.
+.TP
+\fB\-\-version\fR
+Print the version and exit\.
+.
+.SS "Encryption options"
+.
+.TP
+\fB\-e\fR, \fB\-\-encrypt\fR
+Encrypt \fIINPUT\fR to \fIOUTPUT\fR\. This is the default\.
+.
+.TP
+\fB\-r\fR, \fB\-\-recipient\fR=\fIRECIPIENT\fR
+Encrypt to the explicitly specified \fIRECIPIENT\fR\. See the \fIRECIPIENTS AND IDENTITIES\fR section for possible recipient formats\.
+.
+.IP
+This option can be repeated and combined with \fB\-R\fR/\fB\-\-recipients\-file\fR, and the file can be decrypted by all provided recipients independently\.
+.
+.TP
+\fB\-R\fR, \fB\-\-recipients\-file\fR=\fIPATH\fR
+Encrypt to the \fIRECIPIENTS\fR listed in the file at \fIPATH\fR, one per line\. Empty lines and lines starting with \fB#\fR are ignored as comments\.
+.
+.IP
+If \fIPATH\fR is \fB\-\fR, the recipients are read from standard input\. In this case, the \fIINPUT\fR argument must be specified\.
+.
+.IP
+This option can be repeated and combined with \fB\-r\fR/\fB\-\-recipient\fR, and the file can be decrypted by all provided recipients independently\.
+.
+.TP
+\fB\-p\fR, \fB\-\-passphrase\fR
+Encrypt with a passphrase, requested interactively from the terminal\. \fBage\fR will offer to auto\-generate a secure passphrase\.
+.
+.IP
+This option can\'t be used with \fB\-r\fR/\fB\-\-recipient\fR or \fB\-R\fR/\fB\-\-recipients\-file\fR\.
+.
+.TP
+\fB\-a\fR, \fB\-\-armor\fR
+Encrypt to an ASCII\-only "armored" encoding\.
+.
+.IP
+\fBage\fR armor is a strict version of PEM with type \fBAGE ENCRYPTED FILE\fR, canonical "strict" Base64, no headers, and no support for leading and trailing extra data\.
+.
+.IP
+Decryption transparently detects and decodes ASCII armoring\.
+.
+.SS "Decryption options"
+.
+.TP
+\fB\-d\fR, \fB\-\-decrypt\fR
+Decrypt \fIINPUT\fR to \fIOUTPUT\fR\.
+.
+.IP
+If \fIINPUT\fR is passphrase encrypted, it will be automatically detected and the passphrase will be requested interactively\. Otherwise, the \fIIDENTITIES\fR specified with \fB\-i\fR/\fB\-\-identity\fR are used\.
+.
+.IP
+ASCII armoring is transparently detected and decoded\.
+.
+.TP
+\fB\-i\fR, \fB\-\-identity\fR=\fIPATH\fR
+Decrypt using the \fIIDENTITIES\fR at \fIPATH\fR\.
+.
+.IP
+\fIPATH\fR may be one of the following:
+.
+.IP
+a\. A file listing \fIIDENTITIES\fR one per line\. Empty lines and lines starting with "\fB#\fR" are ignored as comments\.
+.
+.IP
+b\. An SSH private key file, in PKCS#1, PKCS#8, or OpenSSH format\. If the private key is password\-protected, the password is requested interactively only if the SSH identity matches the file\. See the \fISSH keys\fR section for more information, including supported key types\.
+.
+.IP
+c\. "\fB\-\fR", causing one of the options above to be read from standard input\. In this case, the \fIINPUT\fR argument must be specified\.
+.
+.IP
+This option can be repeated\. Identities are tried in the order in which are provided, and the first one matching one of the file\'s recipients is used\. Unused identities are ignored\.
+.
+.IP
+If \fB\-e\fR/\fB\-\-encrypt\fR is explicitly specified (to avoid confusion), \fB\-i\fR/\fB\-\-identity\fR may also be used to encrypt to the \fBRECIPIENTS\fR corresponding to the \fBIDENTITIES\fR listed at \fIPATH\fR\. This allows using an identity file as a symmetric key, if desired\.
+.
+.SH "RECIPIENTS AND IDENTITIES"
+\fBRECIPIENTS\fR are public values, like a public key, that a file can be encrypted to\. \fBIDENTITIES\fR are private values, like a private key, that allow decrypting a file encrypted to the corresponding \fBRECIPIENT\fR\.
+.
+.SS "Native X25519 keys"
+Native \fBage\fR key pairs are generated with age\-keygen(1), and provide small encodings and strong encryption based on X25519\. They are the recommended recipient type for most applications\.
+.
+.P
+A \fBRECIPIENT\fR encoding begins with \fBage1\fR and looks like the following:
+.
+.IP "" 4
+.
+.nf
+
+age1gde3ncmahlqd9gg50tanl99r960llztrhfapnmx853s4tjum03uqfssgdh
+.
+.fi
+.
+.IP "" 0
+.
+.P
+An \fBIDENTITY\fR encoding begins with \fBAGE\-SECRET\-KEY\-1\fR and looks like the following:
+.
+.IP "" 4
+.
+.nf
+
+AGE\-SECRET\-KEY\-1KTYK6RVLN5TAPE7VF6FQQSKZ9HWWCDSKUGXXNUQDWZ7XXT5YK5LSF3UTKQ
+.
+.fi
+.
+.IP "" 0
+.
+.P
+An encrypted file can\'t be linked to the native recipient it\'s encrypted to without access to the corresponding identity\.
+.
+.SS "SSH keys"
+As a convenience feature, \fBage\fR also supports encrypting to RSA or Ed25519 ssh(1) keys\. RSA keys must be at least 2048 bits\. This feature employs more complex cryptography, and should only be used when a native key is not available for the recipient\. Note that SSH keys might not be protected long\-term by the recipient, since they are revokable when used only for authentication\.
+.
+.P
+A \fBRECIPIENT\fR encoding is an SSH public key in \fBauthorized_keys\fR format (see the \fBAUTHORIZED_KEYS FILE FORMAT\fR section of sshd(8)), starting with \fBssh\-rsa\fR or \fBssh\-ed25519\fR, like the following:
+.
+.IP "" 4
+.
+.nf
+
+ssh\-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULTit0KUehbi[\.\.\.]GU4BtElAbzh8=
+ssh\-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9pO5pz22JZEas[\.\.\.]l1uZc31FGYMXa
+.
+.fi
+.
+.IP "" 0
+.
+.P
+The comment at the end of the line, if present, is ignored\.
+.
+.P
+In recipient files passed to \fB\-R\fR/\fB\-\-recipients\-file\fR, unsupported but valid SSH public keys are ignored with a warning, to facilitate using \fBauthorized_keys\fR or GitHub \fB\.keys\fR files\. (See \fIEXAMPLES\fR\.)
+.
+.P
+An \fBIDENTITY\fR is an SSH private key \fIfile\fR passed individually to \fB\-i\fR/\fB\-\-identity\fR\. Note that keys held on hardware tokens such as YubiKeys or accessed via ssh\-agent(1) are not supported\.
+.
+.P
+An encrypted file \fIcan\fR be linked to the SSH public key it was encrypted to\. This is so that \fBage\fR can identify the correct SSH private key before requesting its password, if any\.
+.
+.SH "EXIT STATUS"
+\fBage\fR will exit 0 if and only if encryption or decryption are successful for the full length of the input\.
+.
+.P
+If an error occurs during decryption, partial output might still be generated, but only if it was possible to securely authenticate it\. No unauthenticathed output is ever released\.
+.
+.SH "BACKWARDS COMPATIBILITY"
+Files encrypted with a stable version (not alpha, beta, or release candidate) of \fBage\fR, or with any v1\.0\.0 beta or release candidate, will decrypt with any later version of the tool\.
+.
+.P
+If decrypting older files poses a security risk, doing so might cause an error by default\. In this case, a flag will be provided to force the operation\.
+.
+.SH "EXAMPLES"
+Generate a new identity, encrypt data, and decrypt:
+.
+.IP "" 4
+.
+.nf
+
+$ age\-keygen \-o key\.txt
+Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
+
+$ tar cvz ~/data | age \-r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data\.tar\.gz\.age
+
+$ age \-d \-o data\.tar\.gz \-i key\.txt data\.tar\.gz\.age
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Encrypt \fBexample\.jpg\fR to multiple recipients and output to \fBexample\.jpg\.age\fR:
+.
+.IP "" 4
+.
+.nf
+
+$ age \-o example\.jpg\.age \-r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \e
+    \-r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg example\.jpg
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Encrypt to a list of recipients:
+.
+.IP "" 4
+.
+.nf
+
+$ cat > recipients\.txt
+# Alice
+age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
+# Bob
+age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
+
+$ age \-R recipients\.txt example\.jpg > example\.jpg\.age
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Encrypt and decrypt a file using a passphrase:
+.
+.IP "" 4
+.
+.nf
+
+$ age \-p secrets\.txt > secrets\.txt\.age
+Enter passphrase (leave empty to autogenerate a secure one):
+Using the autogenerated passphrase "release\-response\-step\-brand\-wrap\-ankle\-pair\-unusual\-sword\-train"\.
+
+$ age \-d secrets\.txt\.age > secrets\.txt
+Enter passphrase:
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Encrypt and decrypt with an SSH public key:
+.
+.IP "" 4
+.
+.nf
+
+$ age \-R ~/\.ssh/id_ed25519\.pub example\.jpg > example\.jpg\.age
+
+$ age \-d \-i ~/\.ssh/id_ed25519 example\.jpg\.age > example\.jpg
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Encrypt to the SSH keys of a GitHub user:
+.
+.IP "" 4
+.
+.nf
+
+$ curl https://github\.com/benjojo\.keys | age \-R \- example\.jpg > example\.jpg\.age
+.
+.fi
+.
+.IP "" 0
+.
+.SH "SEE ALSO"
+age\-keygen(1)
+.
+.SH "AUTHORS"
+Filippo Valsorda \fIage@filippo\.io\fR

doc/age.1.html

@@ -0,0 +1,328 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta http-equiv='content-type' value='text/html;charset=utf8'>
+  <meta name='generator' value='Ronn/v0.7.3 (http://github.com/rtomayko/ronn/tree/0.7.3)'>
+  <title>age(1) - simple, modern, and secure file encryption</title>
+  <style type='text/css' media='all'>
+  /* style: man */
+  body#manpage {margin:0}
+  .mp {max-width:100ex;padding:0 9ex 1ex 4ex}
+  .mp p,.mp pre,.mp ul,.mp ol,.mp dl {margin:0 0 20px 0}
+  .mp h2 {margin:10px 0 0 0}
+  .mp > p,.mp > pre,.mp > ul,.mp > ol,.mp > dl {margin-left:8ex}
+  .mp h3 {margin:0 0 0 4ex}
+  .mp dt {margin:0;clear:left}
+  .mp dt.flush {float:left;width:8ex}
+  .mp dd {margin:0 0 0 9ex}
+  .mp h1,.mp h2,.mp h3,.mp h4 {clear:left}
+  .mp pre {margin-bottom:20px}
+  .mp pre+h2,.mp pre+h3 {margin-top:22px}
+  .mp h2+pre,.mp h3+pre {margin-top:5px}
+  .mp img {display:block;margin:auto}
+  .mp h1.man-title {display:none}
+  .mp,.mp code,.mp pre,.mp tt,.mp kbd,.mp samp,.mp h3,.mp h4 {font-family:monospace;font-size:14px;line-height:1.42857142857143}
+  .mp h2 {font-size:16px;line-height:1.25}
+  .mp h1 {font-size:20px;line-height:2}
+  .mp {text-align:justify;background:#fff}
+  .mp,.mp code,.mp pre,.mp pre code,.mp tt,.mp kbd,.mp samp {color:#131211}
+  .mp h1,.mp h2,.mp h3,.mp h4 {color:#030201}
+  .mp u {text-decoration:underline}
+  .mp code,.mp strong,.mp b {font-weight:bold;color:#131211}
+  .mp em,.mp var {font-style:italic;color:#232221;text-decoration:none}
+  .mp a,.mp a:link,.mp a:hover,.mp a code,.mp a pre,.mp a tt,.mp a kbd,.mp a samp {color:#0000ff}
+  .mp b.man-ref {font-weight:normal;color:#434241}
+  .mp pre {padding:0 4ex}
+  .mp pre code {font-weight:normal;color:#434241}
+  .mp h2+pre,h3+pre {padding-left:0}
+  ol.man-decor,ol.man-decor li {margin:3px 0 10px 0;padding:0;float:left;width:33%;list-style-type:none;text-transform:uppercase;color:#999;letter-spacing:1px}
+  ol.man-decor {width:100%}
+  ol.man-decor li.tl {text-align:left}
+  ol.man-decor li.tc {text-align:center;letter-spacing:4px}
+  ol.man-decor li.tr {text-align:right;float:right}
+  </style>
+</head>
+<!--
+  The following styles are deprecated and will be removed at some point:
+  div#man, div#man ol.man, div#man ol.head, div#man ol.man.
+
+  The .man-page, .man-decor, .man-head, .man-foot, .man-title, and
+  .man-navigation should be used instead.
+-->
+<body id='manpage'>
+  <div class='mp' id='man'>
+
+  <div class='man-navigation' style='display:none'>
+    <a href="#NAME">NAME</a>
+    <a href="#SYNOPSIS">SYNOPSIS</a>
+    <a href="#DESCRIPTION">DESCRIPTION</a>
+    <a href="#OPTIONS">OPTIONS</a>
+    <a href="#RECIPIENTS-AND-IDENTITIES">RECIPIENTS AND IDENTITIES</a>
+    <a href="#EXIT-STATUS">EXIT STATUS</a>
+    <a href="#BACKWARDS-COMPATIBILITY">BACKWARDS COMPATIBILITY</a>
+    <a href="#EXAMPLES">EXAMPLES</a>
+    <a href="#SEE-ALSO">SEE ALSO</a>
+    <a href="#AUTHORS">AUTHORS</a>
+  </div>
+
+  <ol class='man-decor man-head man head'>
+    <li class='tl'>age(1)</li>
+    <li class='tc'></li>
+    <li class='tr'>age(1)</li>
+  </ol>
+
+  <h2 id="NAME">NAME</h2>
+<p class="man-name">
+  <code>age</code> - <span class="man-whatis">simple, modern, and secure file encryption</span>
+</p>
+
+<h2 id="SYNOPSIS">SYNOPSIS</h2>
+
+<p><code>age</code> [<code>--encrypt</code>] (<code>-r</code> <var>RECIPIENT</var> | <code>-R</code> <var>PATH</var>)... [<code>--armor</code>] [<code>-o</code> <var>OUTPUT</var>] [<var>INPUT</var>]<br />
+<code>age</code> [<code>--encrypt</code>] <code>--passphrase</code> [<code>--armor</code>] [<code>-o</code> <var>OUTPUT</var>] [<var>INPUT</var>]<br />
+<code>age</code> <code>--decrypt</code> [<code>-i</code> <var>PATH</var>]... [<code>-o</code> <var>OUTPUT</var>] [<var>INPUT</var>]<br /></p>
+
+<h2 id="DESCRIPTION">DESCRIPTION</h2>
+
+<p><code>age</code> encrypts or decrypts <var>INPUT</var> to <var>OUTPUT</var>. The <var>INPUT</var> argument is
+optional and defaults to standard input. Only a single <var>INPUT</var> file may be
+specified. If <code>-o</code> is not specified, <var>OUTPUT</var> defaults to standard output.</p>
+
+<p>If <code>--passphrase</code> is specified, the file is encrypted with a passphrase
+requested interactively. Otherwise, it's encrypted to one or more
+<a href="#RECIPIENTS-AND-IDENTITIES" title="RECIPIENTS AND IDENTITIES" data-bare-link="true">RECIPIENTS</a> specified with <code>-r</code>/<code>--recipient</code> or
+<code>-R</code>/<code>--recipients-file</code>. Every recipient can decrypt the file.</p>
+
+<p>In <code>--decrypt</code> mode, passphrase-encrypted files are detected automatically and
+the passphrase is requested interactively. Otherwise, one or more
+<a href="#RECIPIENTS-AND-IDENTITIES" title="RECIPIENTS AND IDENTITIES" data-bare-link="true">IDENTITIES</a> specified with <code>-i</code>/<code>--identity</code> are
+used to decrypt the file.</p>
+
+<p><code>age</code> encrypted files are binary and not malleable, with around 200 bytes of
+overhead per recipient, plus 16 bytes every 64KiB of plaintext.</p>
+
+<h2 id="OPTIONS">OPTIONS</h2>
+
+<dl>
+<dt><code>-o</code>, <code>--output</code>=<var>OUTPUT</var></dt><dd><p>  Write encrypted or decrypted file to <var>OUTPUT</var> instead of standard output.
+  If <var>OUTPUT</var> already exists it will be overwritten.</p>
+
+<p>  If encrypting without <code>--armor</code>, <code>age</code> will refuse to output binary to a
+  TTY. This can be forced by specifying <code>-</code> as <var>OUTPUT</var>.</p></dd>
+<dt><code>--version</code></dt><dd><p>  Print the version and exit.</p></dd>
+</dl>
+
+
+<h3 id="Encryption-options">Encryption options</h3>
+
+<dl>
+<dt><code>-e</code>, <code>--encrypt</code></dt><dd><p>  Encrypt <var>INPUT</var> to <var>OUTPUT</var>. This is the default.</p></dd>
+<dt><code>-r</code>, <code>--recipient</code>=<var>RECIPIENT</var></dt><dd><p>  Encrypt to the explicitly specified <var>RECIPIENT</var>. See the
+  <a href="#RECIPIENTS-AND-IDENTITIES" title="RECIPIENTS AND IDENTITIES" data-bare-link="true">RECIPIENTS AND IDENTITIES</a> section for possible recipient formats.</p>
+
+<p>  This option can be repeated and combined with <code>-R</code>/<code>--recipients-file</code>,
+  and the file can be decrypted by all provided recipients independently.</p></dd>
+<dt><code>-R</code>, <code>--recipients-file</code>=<var>PATH</var></dt><dd><p>  Encrypt to the <a href="#RECIPIENTS-AND-IDENTITIES" title="RECIPIENTS AND IDENTITIES" data-bare-link="true">RECIPIENTS</a> listed in the
+  file at <var>PATH</var>, one per line. Empty lines and lines starting with <code>#</code>
+  are ignored as comments.</p>
+
+<p>  If <var>PATH</var> is <code>-</code>, the recipients are read from standard input. In
+  this case, the <var>INPUT</var> argument must be specified.</p>
+
+<p>  This option can be repeated and combined with <code>-r</code>/<code>--recipient</code>,
+  and the file can be decrypted by all provided recipients independently.</p></dd>
+<dt><code>-p</code>, <code>--passphrase</code></dt><dd><p>  Encrypt with a passphrase, requested interactively from the terminal.
+  <code>age</code> will offer to auto-generate a secure passphrase.</p>
+
+<p>  This option can't be used with <code>-r</code>/<code>--recipient</code> or
+  <code>-R</code>/<code>--recipients-file</code>.</p></dd>
+<dt><code>-a</code>, <code>--armor</code></dt><dd><p>  Encrypt to an ASCII-only "armored" encoding.</p>
+
+<p>  <code>age</code> armor is a strict version of PEM with type <code>AGE ENCRYPTED FILE</code>,
+  canonical "strict" Base64, no headers, and no support for leading and
+  trailing extra data.</p>
+
+<p>  Decryption transparently detects and decodes ASCII armoring.</p></dd>
+</dl>
+
+
+<h3 id="Decryption-options">Decryption options</h3>
+
+<dl>
+<dt><code>-d</code>, <code>--decrypt</code></dt><dd><p>  Decrypt <var>INPUT</var> to <var>OUTPUT</var>.</p>
+
+<p>  If <var>INPUT</var> is passphrase encrypted, it will be automatically detected
+  and the passphrase will be requested interactively. Otherwise, the
+  <a href="#RECIPIENTS-AND-IDENTITIES" title="RECIPIENTS AND IDENTITIES" data-bare-link="true">IDENTITIES</a> specified with <code>-i</code>/<code>--identity</code>
+  are used.</p>
+
+<p>  ASCII armoring is transparently detected and decoded.</p></dd>
+<dt><code>-i</code>, <code>--identity</code>=<var>PATH</var></dt><dd><p>  Decrypt using the <a href="#RECIPIENTS-AND-IDENTITIES" title="RECIPIENTS AND IDENTITIES" data-bare-link="true">IDENTITIES</a> at <var>PATH</var>.</p>
+
+<p>  <var>PATH</var> may be one of the following:</p>
+
+<p>  a. A file listing <a href="#RECIPIENTS-AND-IDENTITIES" title="RECIPIENTS AND IDENTITIES" data-bare-link="true">IDENTITIES</a> one per line.
+  Empty lines and lines starting with "<code>#</code>" are ignored as comments.</p>
+
+<p>  b. An SSH private key file, in PKCS#1, PKCS#8, or OpenSSH format.
+  If the private key is password-protected, the password is requested
+  interactively only if the SSH identity matches the file. See the
+  <a href="#SSH-keys" title="SSH keys" data-bare-link="true">SSH keys</a> section for more information, including supported key types.</p>
+
+<p>  c. "<code>-</code>", causing one of the options above to be read from standard input.
+  In this case, the <var>INPUT</var> argument must be specified.</p>
+
+<p>  This option can be repeated. Identities are tried in the order in which
+  are provided, and the first one matching one of the file's recipients is
+  used. Unused identities are ignored.</p>
+
+<p>  If <code>-e</code>/<code>--encrypt</code> is explicitly specified (to avoid confusion),
+  <code>-i</code>/<code>--identity</code> may also be used to encrypt to the <code>RECIPIENTS</code>
+  corresponding to the <code>IDENTITIES</code> listed at <var>PATH</var>. This allows using an
+  identity file as a symmetric key, if desired.</p></dd>
+</dl>
+
+
+<h2 id="RECIPIENTS-AND-IDENTITIES">RECIPIENTS AND IDENTITIES</h2>
+
+<p><code>RECIPIENTS</code> are public values, like a public key, that a file can be encrypted
+to. <code>IDENTITIES</code> are private values, like a private key, that allow decrypting
+a file encrypted to the corresponding <code>RECIPIENT</code>.</p>
+
+<h3 id="Native-X25519-keys">Native X25519 keys</h3>
+
+<p>Native <code>age</code> key pairs are generated with <a class="man-ref" href="age-keygen.1.html">age-keygen<span class="s">(1)</span></a>, and provide small
+encodings and strong encryption based on X25519. They are the recommended
+recipient type for most applications.</p>
+
+<p>A <code>RECIPIENT</code> encoding begins with <code>age1</code> and looks like the following:</p>
+
+<pre><code>age1gde3ncmahlqd9gg50tanl99r960llztrhfapnmx853s4tjum03uqfssgdh
+</code></pre>
+
+<p>An <code>IDENTITY</code> encoding begins with <code>AGE-SECRET-KEY-1</code> and looks like the
+following:</p>
+
+<pre><code>AGE-SECRET-KEY-1KTYK6RVLN5TAPE7VF6FQQSKZ9HWWCDSKUGXXNUQDWZ7XXT5YK5LSF3UTKQ
+</code></pre>
+
+<p>An encrypted file can't be linked to the native recipient it's encrypted to
+without access to the corresponding identity.</p>
+
+<h3 id="SSH-keys">SSH keys</h3>
+
+<p>As a convenience feature, <code>age</code> also supports encrypting to RSA or Ed25519
+<span class="man-ref">ssh<span class="s">(1)</span></span> keys. RSA keys must be at least 2048 bits. This feature employs more
+complex cryptography, and should only be used when a native key is not available
+for the recipient. Note that SSH keys might not be protected long-term by the
+recipient, since they are revokable when used only for authentication.</p>
+
+<p>A <code>RECIPIENT</code> encoding is an SSH public key in <code>authorized_keys</code> format
+(see the <code>AUTHORIZED_KEYS FILE FORMAT</code> section of <span class="man-ref">sshd<span class="s">(8)</span></span>), starting with
+<code>ssh-rsa</code> or <code>ssh-ed25519</code>, like the following:</p>
+
+<pre><code>ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULTit0KUehbi[...]GU4BtElAbzh8=
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9pO5pz22JZEas[...]l1uZc31FGYMXa
+</code></pre>
+
+<p>The comment at the end of the line, if present, is ignored.</p>
+
+<p>In recipient files passed to <code>-R</code>/<code>--recipients-file</code>, unsupported but valid
+SSH public keys are ignored with a warning, to facilitate using
+<code>authorized_keys</code> or GitHub <code>.keys</code> files. (See <a href="#EXAMPLES" title="EXAMPLES" data-bare-link="true">EXAMPLES</a>.)</p>
+
+<p>An <code>IDENTITY</code> is an SSH private key <em>file</em> passed individually to
+<code>-i</code>/<code>--identity</code>. Note that keys held on hardware tokens such as YubiKeys
+or accessed via <span class="man-ref">ssh-agent<span class="s">(1)</span></span> are not supported.</p>
+
+<p>An encrypted file <em>can</em> be linked to the SSH public key it was encrypted to.
+This is so that <code>age</code> can identify the correct SSH private key before
+requesting its password, if any.</p>
+
+<h2 id="EXIT-STATUS">EXIT STATUS</h2>
+
+<p><code>age</code> will exit 0 if and only if encryption or decryption are successful for the
+full length of the input.</p>
+
+<p>If an error occurs during decryption, partial output might still be generated,
+but only if it was possible to securely authenticate it. No unauthenticathed
+output is ever released.</p>
+
+<h2 id="BACKWARDS-COMPATIBILITY">BACKWARDS COMPATIBILITY</h2>
+
+<p>Files encrypted with a stable version (not alpha, beta, or release candidate) of
+<code>age</code>, or with any v1.0.0 beta or release candidate, will decrypt with any later
+version of the tool.</p>
+
+<p>If decrypting older files poses a security risk, doing so might cause an error
+by default. In this case, a flag will be provided to force the operation.</p>
+
+<h2 id="EXAMPLES">EXAMPLES</h2>
+
+<p>Generate a new identity, encrypt data, and decrypt:</p>
+
+<pre><code>$ age-keygen -o key.txt
+Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
+
+$ tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p &gt; data.tar.gz.age
+
+$ age -d -o data.tar.gz -i key.txt data.tar.gz.age
+</code></pre>
+
+<p>Encrypt <code>example.jpg</code> to multiple recipients and output to <code>example.jpg.age</code>:</p>
+
+<pre><code>$ age -o example.jpg.age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
+    -r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg example.jpg
+</code></pre>
+
+<p>Encrypt to a list of recipients:</p>
+
+<pre><code>$ cat &gt; recipients.txt
+# Alice
+age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
+# Bob
+age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
+
+$ age -R recipients.txt example.jpg &gt; example.jpg.age
+</code></pre>
+
+<p>Encrypt and decrypt a file using a passphrase:</p>
+
+<pre><code>$ age -p secrets.txt &gt; secrets.txt.age
+Enter passphrase (leave empty to autogenerate a secure one):
+Using the autogenerated passphrase "release-response-step-brand-wrap-ankle-pair-unusual-sword-train".
+
+$ age -d secrets.txt.age &gt; secrets.txt
+Enter passphrase:
+</code></pre>
+
+<p>Encrypt and decrypt with an SSH public key:</p>
+
+<pre><code>$ age -R ~/.ssh/id_ed25519.pub example.jpg &gt; example.jpg.age
+
+$ age -d -i ~/.ssh/id_ed25519 example.jpg.age &gt; example.jpg
+</code></pre>
+
+<p>Encrypt to the SSH keys of a GitHub user:</p>
+
+<pre><code>$ curl https://github.com/benjojo.keys | age -R - example.jpg &gt; example.jpg.age
+</code></pre>
+
+<h2 id="SEE-ALSO">SEE ALSO</h2>
+
+<p><a class="man-ref" href="age-keygen.1.html">age-keygen<span class="s">(1)</span></a></p>
+
+<h2 id="AUTHORS">AUTHORS</h2>
+
+<p>Filippo Valsorda <a href="mailto:age@filippo.io" data-bare-link="true">age@filippo.io</a></p>
+
+
+  <ol class='man-decor man-foot man foot'>
+    <li class='tl'></li>
+    <li class='tc'>October 2021</li>
+    <li class='tr'>age(1)</li>
+  </ol>
+
+  </div>
+</body>
+</html>

doc/age.1.ronn

@@ -0,0 +1,239 @@
+age(1) -- simple, modern, and secure file encryption
+====================================================
+
+## SYNOPSIS
+
+`age` [`--encrypt`] (`-r` <RECIPIENT> | `-R` <PATH>)... [`--armor`] [`-o` <OUTPUT>] [<INPUT>]<br>
+`age` [`--encrypt`] `--passphrase` [`--armor`] [`-o` <OUTPUT>] [<INPUT>]<br>
+`age` `--decrypt` [`-i` <PATH>]... [`-o` <OUTPUT>] [<INPUT>]<br>
+
+## DESCRIPTION
+
+`age` encrypts or decrypts <INPUT> to <OUTPUT>. The <INPUT> argument is
+optional and defaults to standard input. Only a single <INPUT> file may be
+specified. If `-o` is not specified, <OUTPUT> defaults to standard output.
+
+If `--passphrase` is specified, the file is encrypted with a passphrase
+requested interactively. Otherwise, it's encrypted to one or more
+[RECIPIENTS][RECIPIENTS AND IDENTITIES] specified with `-r`/`--recipient` or
+`-R`/`--recipients-file`. Every recipient can decrypt the file.
+
+In `--decrypt` mode, passphrase-encrypted files are detected automatically and
+the passphrase is requested interactively. Otherwise, one or more
+[IDENTITIES][RECIPIENTS AND IDENTITIES] specified with `-i`/`--identity` are
+used to decrypt the file.
+
+`age` encrypted files are binary and not malleable, with around 200 bytes of
+overhead per recipient, plus 16 bytes every 64KiB of plaintext.
+
+## OPTIONS
+
+* `-o`, `--output`=<OUTPUT>:
+    Write encrypted or decrypted file to <OUTPUT> instead of standard output.
+    If <OUTPUT> already exists it will be overwritten.
+
+    If encrypting without `--armor`, `age` will refuse to output binary to a
+    TTY. This can be forced by specifying `-` as <OUTPUT>.
+
+* `--version`:
+    Print the version and exit.
+
+### Encryption options
+
+* `-e`, `--encrypt`:
+    Encrypt <INPUT> to <OUTPUT>. This is the default.
+
+* `-r`, `--recipient`=<RECIPIENT>:
+    Encrypt to the explicitly specified <RECIPIENT>. See the
+    [RECIPIENTS AND IDENTITIES][] section for possible recipient formats.
+
+    This option can be repeated and combined with `-R`/`--recipients-file`,
+    and the file can be decrypted by all provided recipients independently.
+
+* `-R`, `--recipients-file`=<PATH>:
+    Encrypt to the [RECIPIENTS][RECIPIENTS AND IDENTITIES] listed in the
+    file at <PATH>, one per line. Empty lines and lines starting with `#`
+    are ignored as comments.
+
+    If <PATH> is `-`, the recipients are read from standard input. In
+    this case, the <INPUT> argument must be specified.
+
+    This option can be repeated and combined with `-r`/`--recipient`,
+    and the file can be decrypted by all provided recipients independently.
+
+* `-p`, `--passphrase`:
+    Encrypt with a passphrase, requested interactively from the terminal.
+    `age` will offer to auto-generate a secure passphrase.
+
+    This option can't be used with `-r`/`--recipient` or
+    `-R`/`--recipients-file`.
+
+* `-a`, `--armor`:
+    Encrypt to an ASCII-only "armored" encoding.
+    
+    `age` armor is a strict version of PEM with type `AGE ENCRYPTED FILE`,
+    canonical "strict" Base64, no headers, and no support for leading and
+    trailing extra data.
+
+    Decryption transparently detects and decodes ASCII armoring.
+
+### Decryption options
+
+* `-d`, `--decrypt`:
+    Decrypt <INPUT> to <OUTPUT>.
+
+    If <INPUT> is passphrase encrypted, it will be automatically detected
+    and the passphrase will be requested interactively. Otherwise, the
+    [IDENTITIES][RECIPIENTS AND IDENTITIES] specified with `-i`/`--identity`
+    are used.
+
+    ASCII armoring is transparently detected and decoded.
+
+* `-i`, `--identity`=<PATH>:
+    Decrypt using the [IDENTITIES][RECIPIENTS AND IDENTITIES] at <PATH>.
+
+    <PATH> may be one of the following:
+
+    a\. A file listing [IDENTITIES][RECIPIENTS AND IDENTITIES] one per line.
+    Empty lines and lines starting with "`#`" are ignored as comments.
+
+    b\. An SSH private key file, in PKCS#1, PKCS#8, or OpenSSH format.
+    If the private key is password-protected, the password is requested
+    interactively only if the SSH identity matches the file. See the
+    [SSH keys][] section for more information, including supported key types.
+    
+    c\. "`-`", causing one of the options above to be read from standard input.
+    In this case, the <INPUT> argument must be specified.
+
+    This option can be repeated. Identities are tried in the order in which
+    are provided, and the first one matching one of the file's recipients is
+    used. Unused identities are ignored.
+
+    If `-e`/`--encrypt` is explicitly specified (to avoid confusion),
+    `-i`/`--identity` may also be used to encrypt to the `RECIPIENTS`
+    corresponding to the `IDENTITIES` listed at <PATH>. This allows using an
+    identity file as a symmetric key, if desired.
+
+## RECIPIENTS AND IDENTITIES
+
+`RECIPIENTS` are public values, like a public key, that a file can be encrypted
+to. `IDENTITIES` are private values, like a private key, that allow decrypting
+a file encrypted to the corresponding `RECIPIENT`.
+
+### Native X25519 keys
+
+Native `age` key pairs are generated with age-keygen(1), and provide small
+encodings and strong encryption based on X25519. They are the recommended
+recipient type for most applications.
+
+A `RECIPIENT` encoding begins with `age1` and looks like the following:
+
+    age1gde3ncmahlqd9gg50tanl99r960llztrhfapnmx853s4tjum03uqfssgdh
+
+An `IDENTITY` encoding begins with `AGE-SECRET-KEY-1` and looks like the
+following:
+
+    AGE-SECRET-KEY-1KTYK6RVLN5TAPE7VF6FQQSKZ9HWWCDSKUGXXNUQDWZ7XXT5YK5LSF3UTKQ
+
+An encrypted file can't be linked to the native recipient it's encrypted to
+without access to the corresponding identity.
+
+### SSH keys
+
+As a convenience feature, `age` also supports encrypting to RSA or Ed25519
+ssh(1) keys. RSA keys must be at least 2048 bits. This feature employs more
+complex cryptography, and should only be used when a native key is not available
+for the recipient. Note that SSH keys might not be protected long-term by the
+recipient, since they are revokable when used only for authentication.
+
+A `RECIPIENT` encoding is an SSH public key in `authorized_keys` format
+(see the `AUTHORIZED_KEYS FILE FORMAT` section of sshd(8)), starting with
+`ssh-rsa` or `ssh-ed25519`, like the following:
+
+    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULTit0KUehbi[...]GU4BtElAbzh8=
+    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9pO5pz22JZEas[...]l1uZc31FGYMXa
+
+The comment at the end of the line, if present, is ignored.
+
+In recipient files passed to `-R`/`--recipients-file`, unsupported but valid
+SSH public keys are ignored with a warning, to facilitate using
+`authorized_keys` or GitHub `.keys` files. (See [EXAMPLES][].)
+
+An `IDENTITY` is an SSH private key _file_ passed individually to
+`-i`/`--identity`. Note that keys held on hardware tokens such as YubiKeys
+or accessed via ssh-agent(1) are not supported.
+
+An encrypted file _can_ be linked to the SSH public key it was encrypted to.
+This is so that `age` can identify the correct SSH private key before
+requesting its password, if any.
+
+## EXIT STATUS
+
+`age` will exit 0 if and only if encryption or decryption are successful for the
+full length of the input.
+
+If an error occurs during decryption, partial output might still be generated,
+but only if it was possible to securely authenticate it. No unauthenticathed
+output is ever released.
+
+## BACKWARDS COMPATIBILITY
+
+Files encrypted with a stable version (not alpha, beta, or release candidate) of
+`age`, or with any v1.0.0 beta or release candidate, will decrypt with any later
+version of the tool.
+
+If decrypting older files poses a security risk, doing so might cause an error
+by default. In this case, a flag will be provided to force the operation.
+
+## EXAMPLES
+
+Generate a new identity, encrypt data, and decrypt:
+
+    $ age-keygen -o key.txt
+    Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
+
+    $ tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age
+
+    $ age -d -o data.tar.gz -i key.txt data.tar.gz.age
+
+Encrypt `example.jpg` to multiple recipients and output to `example.jpg.age`:
+
+    $ age -o example.jpg.age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p \
+        -r age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg example.jpg
+
+Encrypt to a list of recipients:
+
+    $ cat > recipients.txt
+    # Alice
+    age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
+    # Bob
+    age1lggyhqrw2nlhcxprm67z43rta597azn8gknawjehu9d9dl0jq3yqqvfafg
+
+    $ age -R recipients.txt example.jpg > example.jpg.age
+
+Encrypt and decrypt a file using a passphrase:
+
+    $ age -p secrets.txt > secrets.txt.age
+    Enter passphrase (leave empty to autogenerate a secure one):
+    Using the autogenerated passphrase "release-response-step-brand-wrap-ankle-pair-unusual-sword-train".
+
+    $ age -d secrets.txt.age > secrets.txt
+    Enter passphrase:
+
+Encrypt and decrypt with an SSH public key:
+
+    $ age -R ~/.ssh/id_ed25519.pub example.jpg > example.jpg.age
+
+    $ age -d -i ~/.ssh/id_ed25519 example.jpg.age > example.jpg
+
+Encrypt to the SSH keys of a GitHub user:
+
+    $ curl https://github.com/benjojo.keys | age -R - example.jpg > example.jpg.age
+
+## SEE ALSO
+
+age-keygen(1)
+
+## AUTHORS
+
+Filippo Valsorda <age@filippo.io>

internal/format/format.go

@@ -43,25 +43,40 @@ func DecodeString(s string) ([]byte, error) {
 var EncodeToString = b64.EncodeToString
 
 const ColumnsPerLine = 64
+
 const BytesPerLine = ColumnsPerLine / 4 * 3
 
-// NewlineWriter returns a Writer that writes to dst, inserting an LF character
-// every ColumnsPerLine bytes. It does not insert a newline neither at the
-// beginning nor at the end of the stream, but it ensures the last line is
-// shorter than ColumnsPerLine, which means it might be empty.
-func NewlineWriter(dst io.Writer) io.Writer {
-	return &newlineWriter{dst: dst}
+// NewWrappedBase64Encoder returns a WrappedBase64Encoder that writes to dst.
+func NewWrappedBase64Encoder(enc *base64.Encoding, dst io.Writer) *WrappedBase64Encoder {
+	w := &WrappedBase64Encoder{dst: dst}
+	w.enc = base64.NewEncoder(enc, WriterFunc(w.writeWrapped))
+	return w
 }
 
-type newlineWriter struct {
+type WriterFunc func(p []byte) (int, error)
+
+func (f WriterFunc) Write(p []byte) (int, error) { return f(p) }
+
+// WrappedBase64Encoder is a standard base64 encoder that inserts an LF
+// character every ColumnsPerLine bytes. It does not insert a newline neither at
+// the beginning nor at the end of the stream, but it ensures the last line is
+// shorter than ColumnsPerLine, which means it might be empty.
+type WrappedBase64Encoder struct {
+	enc     io.WriteCloser
 	dst     io.Writer
 	written int
 	buf     bytes.Buffer
 }
 
-func (w *newlineWriter) Write(p []byte) (int, error) {
+func (w *WrappedBase64Encoder) Write(p []byte) (int, error) { return w.enc.Write(p) }
+
+func (w *WrappedBase64Encoder) Close() error {
+	return w.enc.Close()
+}
+
+func (w *WrappedBase64Encoder) writeWrapped(p []byte) (int, error) {
 	if w.buf.Len() != 0 {
-		panic("age: internal error: non-empty newlineWriter.buf")
+		panic("age: internal error: non-empty WrappedBase64Encoder.buf")
 	}
 	for len(p) > 0 {
 		toWrite := ColumnsPerLine - (w.written % ColumnsPerLine)
@@ -84,9 +99,18 @@ func (w *newlineWriter) Write(p []byte) (int, error) {
 	return len(p), nil
 }
 
+// LastLineIsEmpty returns whether the last output line was empty, either
+// because no input was written, or because a multiple of BytesPerLine was.
+//
+// Calling LastLineIsEmpty before Close is meaningless.
+func (w *WrappedBase64Encoder) LastLineIsEmpty() bool {
+	return w.written%ColumnsPerLine == 0
+}
+
 const intro = "age-encryption.org/v1\n"
 
 var recipientPrefix = []byte("->")
+
 var footerPrefix = []byte("---")
 
 func (r *Stanza) Marshal(w io.Writer) error {
@@ -101,7 +125,7 @@ func (r *Stanza) Marshal(w io.Writer) error {
 	if _, err := io.WriteString(w, "\n"); err != nil {
 		return err
 	}
-	ww := base64.NewEncoder(b64, NewlineWriter(w))
+	ww := NewWrappedBase64Encoder(b64, w)
 	if _, err := ww.Write(r.Body); err != nil {
 		return err
 	}