// glossary / chacha20-poly1305

ChaCha20-Poly1305.

The cipher that does the real work. After X25519 agrees on a key, ChaCha20-Poly1305 encrypts the file contents in authenticated chunks — so any tampering is detected on decryption, not silently passed through.

// definition

ChaCha20-Poly1305 is an AEAD (Authenticated Encryption with Associated Data) construction combining the ChaCha20 stream cipher with the Poly1305 message authentication code, standardized in RFC 8439.

What it is

age splits the file payload into 64 KiB chunks and encrypts each one with ChaCha20-Poly1305 under a key derived from the file key via HKDF. Each chunk carries an authentication tag, and the final chunk is marked, so truncation and tampering are both detected.

Why it matters

AEAD means confidentiality and integrity in one step. You cannot accidentally decrypt corrupted or maliciously modified ciphertext and get plausible-looking garbage — the tag check fails and decryption stops. ChaCha20 is also fast in software on phones, which often lack the AES hardware paths desktops rely on.

// in AgePony AgePony uses the same chunked ChaCha20-Poly1305 payload format as the age specification, including the chunk size and final-chunk marking, so streams interoperate exactly.

Related terms

Common questions.

Why not AES?

ChaCha20 is fast without hardware acceleration and avoids cache-timing pitfalls, which suits mobile devices. It is the modern default in TLS and WireGuard for the same reasons.

Does it detect tampering?

Yes. The Poly1305 tag on every chunk fails if the ciphertext was altered, so decryption refuses bad data.

Get AgePony

Free file encryption for iOS and Android. No accounts, no tracking, no servers.

Download on the App Store Get it on Google Play