scrypt.
When you do not have a key and just want a password, age uses scrypt. It is a memory-hard key derivation function that makes brute-forcing a passphrase expensive in both time and RAM.
scrypt is a password-based key derivation function designed to resist large-scale custom-hardware attacks by requiring significant memory, not just CPU time.
What it is
In age's passphrase mode, scrypt stretches your passphrase into the file key. A work-factor parameter controls how expensive each guess is. Because scrypt is memory-hard, an attacker cannot cheaply parallelize guesses on GPUs or ASICs the way they can with simple hash iteration.
Why it matters
Passphrase mode means you can encrypt a file to yourself with nothing but a password you remember — no key management at all. The tradeoff is that the security ceiling is your passphrase's strength, so length matters. scrypt buys you a large constant factor of protection, but a weak passphrase is still a weak passphrase.
Related terms
Common questions.
How strong should my passphrase be?
Use a long passphrase — several random words — not a short password. scrypt slows attackers but cannot rescue a guessable phrase.
Can I mix passphrase and key recipients?
age treats scrypt as its own recipient type; a file is either passphrase-encrypted or key-encrypted, not both at once.
Get AgePony
Free file encryption for iOS and Android. No accounts, no tracking, no servers.