age was built to replace one specific job PGP does — encrypting a file — and to do nothing else. That narrowness is the whole point. Here's the honest version of when each one fits.
PGP (and its common implementation, GPG/GnuPG) has been the default for file and email encryption for decades. It's powerful and flexible: it encrypts, it signs, it manages a web of trust, it talks to key servers, it supports a long list of algorithms and options. That flexibility is also its problem — the surface area is enormous, the defaults have aged, and the sharp edges have caused real-world mistakes.
age, created by cryptographer Filippo Valsorda, takes the opposite stance. It does file encryption with one modern construction (X25519 key agreement, ChaCha20-Poly1305 encryption), tiny copy-pasteable keys, and effectively zero configuration. No key servers, no web of trust, no cipher menu.
Simplicity that prevents mistakes. There are almost no options to get wrong. A recipient is a short string. There's no keyring to corrupt, no expired-subkey puzzle, no trust database.
Small, shareable keys. An age public key is a single short line you can paste into a chat. age also accepts SSH keys as recipients, which means you can encrypt to someone's GitHub username with no setup at all.
Modern crypto by default. No legacy algorithms to accidentally select. The format is specified and has multiple independent implementations.
UNIX-friendly. It reads and writes streams, so it composes cleanly with pipes and scripts.
Signing. This is the big one. age does not sign messages — that omission is deliberate, because combining encryption and signatures safely is subtle. If you need to prove a file or release came from you (signing software releases, signing git commits/tags, verifying package signatures), that's PGP's job, not age's.
Existing ecosystems. If you're slotting into something already built on PGP — a distro's package signing, an OpenPGP-based email flow, a team that already exchanges PGP keys — staying with PGP is the path of least resistance.
Hardware-token identity at rest. PGP has long, mature smartcard/YubiKey support for decryption identities. age supports hardware through plugins, but the story is younger.
"If age can't sign, isn't it less secure?" No — it's solving a different problem. For most file-sharing, you authenticate the channel some other way (you got the key from a trusted place) and you just need confidentiality. When you genuinely need a publicly verifiable signature, reach for a signing tool built for it.
Neither age nor modern guidance is enthusiastic about PGP-encrypted email — email metadata leaks, long-lived keys are awkward, and the failure modes are bad. For sending a secret to someone, encrypting a file with age and sending that file over any channel is usually the cleaner approach.
age isn't trying to be a smaller PGP — it's trying to be the right tool for the single most common PGP use case, file encryption, and to be boring and safe at it. If that's what you're doing, age (and AgePony on mobile) is the easier, harder-to-misuse choice. If you need signatures or you're bound to an existing PGP world, keep PGP for those parts.
AgePony is a faithful age client for mobile, bit-perfect with the CLI. On the App Store now — Android coming soon.