Does AgePony fit an age-based secrets pipeline?

Yes. If your servers already decrypt config with age (a common pattern with tools like sops and age), AgePony lets you encrypt or re-encrypt those files to the same recipients from a phone, in standard age format.

Can I require a hardware key to sign?

Yes. AgePony can sign with an external FIDO security key tapped over NFC, including PIN-protected keys, so the signing key never lives in the app.

Is this a replacement for a secrets manager?

No. AgePony produces the encrypted file; it doesn't run access control, auditing, or rotation. It complements a secrets workflow rather than replacing a vault product.

For sysadmins

age for sysadmins.

If your infrastructure already speaks age, AgePony is the piece that lets you handle those encrypted files away from your desk — encrypt a credential to the right recipients, sign an artifact, and authorize it all with a security key you tap against the phone.

Encrypt config Sign artifacts Hardware-backed

The workflow this addresses.

A teammate is locked out and needs a credential, now, and you're not at your workstation. Or a deploy is waiting on a signed artifact. age is already a common backbone for encrypted config in modern infra; AgePony gives you a mobile front end to it that produces the exact same files your tooling consumes.

What age does for you here, and what it doesn't.

gives you

Recipient-encrypted files, hardware-signed

Encrypt a credential or config file to one or several recipients' keys. Sign a release or artifact with SSHSIG, optionally backed by a FIDO security key tapped over NFC so the signing key stays off the device. Everything is standard age and SSHSIG, ready for your pipeline.

does not give you

Not in scope

AgePony isn't a secrets manager. It doesn't store credentials, enforce access policy, audit access, or rotate keys on a schedule. It's the encrypt-and-sign step, not the vault, the CI runner, or the policy engine.

A concrete workflow.

An on-call engineer needs a service credential. Pull the file, or its plaintext, into AgePony.
Encrypt it to their key — by pasted age recipient, SSH key, or GitHub username — and to your own key too so you keep access.
Send the .age file through your normal channel. Only the intended recipients can open it.
For a release artifact, sign it in AgePony. If policy requires hardware, tap your FIDO security key over NFC to authorize the signature.
Publish the artifact and its .sig. Your deploy step verifies with ssh-keygen -Y verify before trusting it.

Is AgePony right for your ops workflow?

yes if

Your infrastructure already uses age for encrypted config.
You want to handle those files from a phone during an incident.
You sign artifacts and want a hardware-key option.
You value standard, tool-compatible output.

not the right tool if

You need a full secrets manager with policy, audit, and rotation.
Your stack is built on OpenPGP rather than age — use PGPony.
You need automated, unattended encryption in a pipeline — that's the CLI's job.

Related material.

See encrypting to an SSH key and signing with a hardware security key. To weigh age against your current setup, read AgePony vs the age CLI.

Get AgePony

Free file encryption for iOS and Android. No accounts, no tracking, no servers.

Download on the App Store Get it on Google Play