// glossary / x25519

X25519.

The asymmetric half of age. X25519 is an elliptic-curve Diffie-Hellman function on Curve25519 — fast, small, and with a strong security margin. It is how age turns a recipient's public key into a shared secret that wraps the file key.

// definition

X25519 is the Diffie-Hellman key agreement protocol over Curve25519, standardized in RFC 7748. In age it derives a per-recipient shared secret used to encrypt (wrap) the symmetric file key.

What it is

For each recipient, age generates an ephemeral X25519 keypair, performs Diffie-Hellman against the recipient's public key, and uses the result to wrap the file's randomly generated payload key. The recipient repeats the agreement with their private key to unwrap it.

Why it matters

X25519 keys are only 32 bytes, generate in well under a millisecond, and have widely audited constant-time implementations. That combination of speed, size, and safety is exactly why age (and modern protocols like TLS 1.3 and WireGuard) standardized on it.

// in AgePony AgePony performs X25519 key agreement identically to the reference implementation, so its wrapped keys interoperate with the age CLI byte-for-byte.

Related terms

Common questions.

Is X25519 the same as Curve25519?

Curve25519 is the curve; X25519 is the Diffie-Hellman function defined on it. People often use the names interchangeably.

How does this relate to ed25519?

Ed25519 is the signing counterpart on the same curve family. age uses X25519 for encryption and SSHSIG/Ed25519 for signing.

Get AgePony

Free file encryption for iOS and Android. No accounts, no tracking, no servers.

Download on the App Store Get it on Google Play