AgePony PGPony ↗ download
// guide / encrypt-file-to-ssh-key

How to encrypt a file to an SSH key.

age can encrypt directly to an existing SSH public key. If someone has published an ssh-ed25519 key, that key is all you need to send them an encrypted file — no separate age key required.

~2 minutes iOS / Android Recipient's SSH public key
// at a glance
  1. Get the recipient's SSH public key
  2. Open AgePony, choose Encrypt
  3. Add the SSH key as a recipient
  4. Pick the file
  5. Encrypt and share the .age
Prerequisites
  • AgePony installed
  • The file you want to encrypt
  • The recipient's ssh-ed25519 or ssh-rsa public key
// step 01

Get the recipient's SSH public key.

An SSH public key is a single line beginning with ssh-ed25519 or ssh-rsa. Ask the recipient for it, or if they publish on GitHub, grab it from github.com/their-username.keys.

// step 02

Open AgePony and choose Encrypt.

Launch AgePony and select the Encrypt action. You will be prompted to add recipients and pick a file.

// step 03

Add the SSH key as a recipient.

Paste the SSH public key, or import it from a file. AgePony recognizes the SSH key format and treats it as an age recipient. You can add more than one recipient if several people need to open the file.

// step 04

Pick the file and encrypt.

Choose the file to protect. Optionally select armored output if you plan to paste the result into chat or email. Tap Encrypt.

// step 05

Share the encrypted file.

AgePony produces an .age file. Share it through any channel — the contents are already encrypted, so the channel does not need to be secure. Only the holder of the matching SSH private key can open it.

Verify it worked.

  • AgePony shows the recipient SSH key fingerprint before encrypting.
  • The output file ends in .age.
  • The recipient can decrypt with age -d -i their_ssh_key, confirming interop.

Common questions.

Does the recipient need AgePony?

No. The output is a standard age file. They can decrypt with the age command line, a Go library, or AgePony on their own phone.

ssh-ed25519 or ssh-rsa?

Both work. ssh-ed25519 is smaller and recommended; ssh-rsa is supported for older keys.

Can I encrypt to several people?

Yes. Add each person's public key as a recipient and any one of them can decrypt independently.

Is the channel I send it over important?

No — the file is encrypted end to end. You can send it over email, chat, or a shared drive safely.

Next steps.

Core

Encrypt to a GitHub username
Glossary

SSH-key encryption
Core

Decrypt an age file on mobile
Glossary

Recipient

Get AgePony

Free file encryption for iOS and Android. No accounts, no tracking, no servers.

Download on the App Store
Get it on Google Play