age package¶

Subpackages¶

Submodules¶

age.cli module¶

age.cli.decrypt(infile=None, outfile=None, ask_password=False, keyfiles=None, ascii_armored=False)¶

Decrypt a file encrypted with ‘age encrypt’.

Ciphertext can be passed from the standard input stream and from a file. Plaintext will by default be written to the standard output stream, but a filename can be specified.

Decryption is attempted with keys from the following locations: - Age private keys from ‘age generate’ in file ~/.config/age/keys.txt - Private SSH keys at ~/.ssh/id_* - Age private keys in files passed via KEYFILES.

If the ‘-p’ switch is provided, age will prompt for a password and also attempt to decrypt the message with the given password.

Parameters

infile (Optional[BinaryIO]) –
outfile (Optional[BinaryIO]) –
ask_password (bool) –
keyfiles (Optional[List[str]]) –
ascii_armored (bool) –

Return type

age.cli.encrypt(recipients=None, infile=None, outfile=None, ask_password=False, ascii_armored=False)¶

Encrypt data for the given recipients.

RECIPIENTS can be a list of either: - aliases (from ~/.config/age/aliases.txt) - age public keys (starting with “age1…”) - SSH public keys (starting with “ssh-rsa” or “ssh-ed25519”) - Files with one key per line (no aliases allowed) - URLs to files with one key per line (no aliases allowed) - GitHub usernames (will fetch SSH public keys from https://github.com/USERNAME.keys)

Plaintext data can be passed via the standard input stream or from a file. Encryption to the standard output stream is only allowed if the stream is not bound to a TTY, in any case an output file can be used.

A password recipient can be added with the ‘-p’ option. age will prompt for the password.

Note that in this case, anyone in possession of the password can tamper with the message, therefore it is recommended to not mix password- and public key recipients.

Parameters

recipients (Optional[List[str]]) –
infile (Optional[BinaryIO]) –
outfile (Optional[BinaryIO]) –
ask_password (bool) –
ascii_armored (bool) –

Return type

age.cli.generate(outfile=None)¶

Generate a new age private/public key pair.

If no FILENAME is given, the command outputs the key pair to the standard output stream.

If FILENAME exists, age will warn if the file permissions allow others to read, write or execute the file.

Parameters: outfile (Optional[TextIO]) –
Return type: None

age.exceptions module¶

exception age.exceptions.AuthenticationFailed¶

Bases: Exception

Raised if the MAC does not verify

exception age.exceptions.NoIdentity¶

Bases: Exception

Raised if no matching identity could be found

exception age.exceptions.ParserError¶

Bases: Exception

Raised if the header could not be parsed

exception age.exceptions.UnknownRecipient¶

Bases: Exception

Raised when an unknown recipient line was encountered during header parsing

age.file module¶

class age.file.Decryptor(identities, stream)¶

Bases: io.RawIOBase

Parameters

identities (Collection[DecryptionKey]) –
stream (BinaryIO) –

read(size=- 1)¶

readable()¶

Return whether object was opened for reading.

If False, read() will raise OSError.

class age.file.Encryptor(keys, stream)¶

Bases: io.RawIOBase

Parameters

keys (Collection[EncryptionKey]) –
stream (BinaryIO) –

close()¶

Flush and close the IO object.

This method has no effect if the file is already closed.

writable()¶

Return whether object was opened for writing.

If False, write() will raise OSError.

write(data)¶

age.format module¶

class age.format.Header(recipients=None)¶

Bases: object

Parameters: recipients (Optional[List[Recipient]]) –

class age.format.Recipient(type='', arguments=None, body='')¶

Bases: object

Parameters

type (str) –
arguments (Optional[List[str]]) –
body (str) –

age.format.dump_header(header, stream, mac=None)¶

Parameters

header (Header) –
stream (BinaryIO) –
mac (Optional[bytes]) –

age.format.load_header(stream)¶

Parameters: stream (BinaryIO) –
Return type: Tuple[Header, bytes]

age.keyloader module¶

age.keyloader.load_aliases(filename='~/.config/age/aliases.txt')¶

Return type: Dict[str, List[str]]

age.keyloader.load_keys_txt(filename='~/.config/age/keys.txt')¶

Return type: List[DecryptionKey]

age.keyloader.load_ssh_keys(root='~/.ssh')¶

Return type: Collection[DecryptionKey]

age.keyloader.load_ssh_private_key(filename, password=None)¶

Return type: Optional[DecryptionKey]

age.keyloader.resolve_public_key(keystr, aliases=None, read_aliases=True, read_files=True, read_urls=True)¶

Parameters

keystr (str) –
aliases (Optional[Dict[str, List[str]]]) –

Return type

List[EncryptionKey]

age.openssh_keys module¶

exception age.openssh_keys.InvalidKeyFile¶: Bases: Exception

exception age.openssh_keys.WrongPassphrase¶: Bases: Exception

age.openssh_keys.load_openssh_private_key(openssh_data, passphrase=None)¶

Load OpenSSH key in “”PEM”” format.

The files look like PEM, but aren’t. OpenSSH keys are “proprietary” and can be identified by the line “—–BEGIN OPENSSH PRIVATE KEY—–”.

Parameters

openssh_data (bytes) –
passphrase (Optional[bytes]) –

Return type

Union[RSAPrivateKey, DSAPrivateKey, EllipticCurvePrivateKey, Ed25519PrivateKey]

age.stream module¶

age.stream.stream_decrypt(key, data)¶

Parameters

key (bytes) –
data (bytes) –

Return type

age.stream.stream_encrypt(key, data)¶

Parameters

key (bytes) –
data (bytes) –

Return type

Module contents¶