FreeBSD Manual Pages
AGE-PLUGIN-BATCHPASS(1) General Commands Manual AGE-PLUGIN-BATCHPASS(1) NAME age-plugin-batchpass - non-interactive passphrase encryption plugin for age(1) SYNOPSIS age -e -j batchpass age -d -j batchpass DESCRIPTION age-plugin-batchpass is an age(1) plugin that enables non-interactive passphrase-based encryption and decryption using environment variables. WARNING This functionality is not built into the age CLI because most applica- tions should use native keys instead of scripting passphrase-based en- cryption. Humans are notoriously bad at remembering and generating strong passphrases. age uses scrypt to partially mitigate this, which is nec- essarily very slow. If a computer will be doing the remembering anyway, you can and should use native keys instead. There is no need to manage separate public and private keys, you encrypt directly to the private key: $ age-keygen -o key.txt $ age -e -i key.txt file.txt > file.txt.age $ age -d -i key.txt file.txt.age > file.txt Likewise, you can store a native identity string in an environment variable or through your CI secrets manager and use it to encrypt and decrypt files non-interactively: $ export AGE_SECRET=$(age-keygen) $ age -e -i <(echo "$AGE_SECRET") file.txt > file.txt.age $ age -d -i <(echo "$AGE_SECRET") file.txt.age > file.txt The age CLI also natively supports passphrase-encrypted identity files, so you can use that functionality to non-interactively encrypt multiple files such that you will be able to decrypt them later by entering the same passphrase: $ age-keygen -pq | age -p -o encrypted-identity.txt Public key: age1pq1cd[... 1950 more characters ...] Enter passphrase (leave empty to autogenerate a secure one): age: using autogenerated passphrase "eternal-erase-keen-suffer-fog-exclude-huge-scorpion-escape-scrub" $ age -r age1pq1cd[... 1950 more characters ...] file.txt > file.txt.age $ age -d -i encrypted-identity.txt file.txt.age > file.txt Enter passphrase for identity file "encrypted-identity.txt": Finally, when using this plugin care should be taken not to let the password be persisted in the shell history or leaked to other users on multi-user systems. ENVIRONMENT AGE_PASSPHRASE The passphrase to use for encryption or decryption. Mutually ex- clusive with AGE_PASSPHRASE_FD. AGE_PASSPHRASE_FD A file descriptor number to read the passphrase from. Trailing newlines are stripped from the file contents. Mutually exclusive with AGE_PASSPHRASE. AGE_PASSPHRASE_WORK_FACTOR The scrypt work factor to use when encrypting. Must be between 1 and 30. Default is 18. Higher values are more secure but slower. AGE_PASSPHRASE_MAX_WORK_FACTOR The maximum scrypt work factor to accept when decrypting. Must be between 1 and 30. Default is 30. Can be used to avoid very slow decryptions. EXAMPLES Encrypt a file with a passphrase: $ AGE_PASSPHRASE=secret age -e -j batchpass file.txt > file.txt.age Decrypt a file with a passphrase: $ AGE_PASSPHRASE=secret age -d -j batchpass file.txt.age > file.txt Read the passphrase from a file descriptor: $ AGE_PASSPHRASE_FD=3 age -e -j batchpass file.txt 3< passphrase.txt > file.txt.age SEE ALSO age(1) AUTHORS Filippo Valsorda age@filippo.io December 2025 AGE-PLUGIN-BATCHPASS(1)
NAME | SYNOPSIS | DESCRIPTION | WARNING | ENVIRONMENT | EXAMPLES | SEE ALSO | AUTHORS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=age-plugin-batchpass&sektion=1&manpath=FreeBSD+Ports+15.0.quarterly>