NAME¶

age-keygen - generate age(1) key pairs

SYNOPSIS¶

age-keygen [-pq] [-o OUTPUT]
age-keygen -y [-o OUTPUT] [INPUT]

DESCRIPTION¶

age-keygen generates a new native age(1) key pair, and outputs the identity to standard output or to the OUTPUT file. The output includes the public key and the current time as comments.

If the output is not going to a terminal, age-keygen prints the public key to standard error.

OPTIONS¶

-pq

Generate a post-quantum hybrid ML-KEM-768 + X25519 key pair.

In the future, this might become the default.

-o, --output=OUTPUT

Write the identity to OUTPUT instead of standard output.

If OUTPUT already exists, it is not overwritten.

-y

Read an identity file from INPUT or from standard input and output the corresponding recipient(s), one per line, with no comments.

--version

Print the version and exit.

EXAMPLES¶

Generate a new post-quantum identity:

$ age-keygen -pq
# created: 2025-11-17T13:39:06+01:00
# public key: age1pq167[... 1950 more characters ...]
AGE-SECRET-KEY-PQ-1K30MYPZAHAXHR22YHH27EGDVLU0QNSUH3DSV7J7NR3X6D9LHXNWSDLTV4T

Generate a new traditional identity:

$ age-keygen
# created: 2021-01-02T15:30:45+01:00
# public key: age1lvyvwawkr0mcnnnncaghunadrqkmuf9e6507x9y920xxpp866cnql7dp2z
AGE-SECRET-KEY-1N9JEPW6DWJ0ZQUDX63F5A03GX8QUW7PXDE39N8UYF82VZ9PC8UFS3M7XA9

Write a new post-quantum identity to key.txt:

$ age-keygen -o key.txt
Public key: age1pq1cd[... 1950 more characters ...]

Convert an identity to a recipient:

$ age-keygen -y key.txt
age1pq1cd[... 1950 more characters ...]

SEE ALSO¶

age(1), age-inspect(1)

AUTHORS¶

Filippo Valsorda age@filippo.io