Using Age to Publicly Post Sensitive Data

Written by Paco Pascal, on 11 June 2022.
Tags: #unix #linux #gpg #age #cryptography

1. The Problem

Recently, I had an issue where I was working on a set of remote servers and needed to copy files between different servers. Some of the servers were sandboxes that could've been infected by malicious software; therefore, I didn't want to leak any information in the sandboxes about any production servers or credentials.

My first instinct was to post to pastebin. But I wanted to encrypt the data before posting. Using GnuPG in the sandboxes was problematic. This is where Age provided a convenient solution.

2. The Solution

On a production machine, we can easily create a temporary Age key by doing,

age-keygen -o key.txt

which gives the following output,

Public key: age15v5xqysc8g7spuzdyk0v5q90m609ruaecwnlv2x67zv5xqnju4esp2tz3j

Instead of using, pastebin for posting, we'll use which doesn't require an API key. On the insecure server, do the following,

age --encrypt -r age15v5xqysc8g7spuzdyk0v5q90m609ruaecwnlv2x67zv5xqnju4esp2tz3j -a /path/to/private/file | curl -F 'file=@-'

which will output a URL, such as

Now we can download this file and decrypt it in a safe location.

curl -s | age --decrypt -i key.txt -o secret_file.txt

3. Solution Simplification

We can make this process smoother by writing two scripts. An upload script such as,



if [ -z "$RECIPIENTS" ]; then
    echo "Usage: $0 [recipient public key]..."
    exit 1

for r in $RECIPIENTS; do
    AGEFLAGS="${AGEFLAGS} -r ${r}"

age $AGEFLAGS -a | curl -F 'file=@-'

and a download script such as,



if [ -z $URL ]; then
    echo "Usage: $0 url [age key file]"
    exit 1

curl -s $URL | age --decrypt -i ${AGEKEY}

Now if we have two age keys, key-1.txt (age1dwj4jcfp9wfpslrj4gnws5y5llzetdzu0cpndtr96fr3htlgdvusk6w8tg) and key-2.txt (age1xqz970tzhklqp0qyz9x3c3yur3jd65urasmwer0thzc4k6y6qftq7sc2zw), we can upload an encrypted file for both keys by doing,

echo secret text | ./ \
  age1dwj4jcfp9wfpslrj4gnws5y5llzetdzu0cpndtr96fr3htlgdvusk6w8tg \

and download the same content for each key,

1: $ ./ key-1.txt
2: secret text
3: $ ./ key-2.txt
4: secret text