Age: Modern file encryption format with multiple pluggable recipients

Version line

The version line always starts with “age-encryption.org/”, is followed by an
arbitrary version string, and ends with a line feed (0x0A).

version-line = %s"age-encryption.org/" version LF

version = 1*VCHAR

This document only specifies the v1 format. Anything after the end of the
version line may change in future versions.

Recipient stanza

A recipient stanza starts with ->, followed after a space by one or more space-separated
arguments, and a base64-encoded body wrapped at 64 columns. The body MUST end
with a line shorter than 64 characters, which MAY be empty.

Each recipient stanza wraps the same file key independently. Identity
implementations are provided the full set of stanzas and recognize those
addressed to them from their arguments. Identity implementations MUST ignore
unrecognized stanzas, unless they wish to require that the recipient type they
implement is not mixed with other types.

It is RECOMMENDED that non-native recipient implementations use fully-qualified
names as the first stanza argument, such as example.com/enigma, to avoid
ambiguity and conflicts.

Recipient implementations MAY choose to include an identifier of the specific
recipient (for example, a short hash of the public key) as an argument. Note
that this sacrifices any chance of ciphertext anonymity and unlinkability.

Header MAC

The final header line starts with --- and is followed after a space by the
base64-encoded MAC of the header. The MAC is computed with HMAC-SHA-256 (see
RFC 2104) over the whole header up to and including the --- mark
(excluding the space following it).

The HMAC key is computed as follows:

HMAC key = HKDF-SHA-256(ikm = file key, salt = empty, info = "header")

ABNF definition of file header

The following is the ABNF definition of the v1 file header.

Payload

The binary payload encrypts the file body and starts immediately after the
header. It begins with a 16-byte nonce generated by the sender from a CSPRNG.
A new nonce MUST be generated for each file.

The payload key is computed as follows:

payload key = HKDF-SHA-256(ikm = file key, salt = nonce, info = "payload")

The payload is split in chunks of 64 KiB, and each of them is encrypted with
ChaCha20-Poly1305, using the payload key and a 12-byte nonce composed as
follows: the first 11 bytes are a big endian chunk counter starting at zero and
incrementing by one for each subsequent chunk; the last byte is 0x01 for the
final chunk and 0x00 for all preceding ones. The final chunk MAY be shorter than
64 KiB but MUST NOT be empty unless the whole payload is empty.

This is a STREAM variant from Online Authenticated-Encryption and its
Nonce-Reuse Misuse-Resistance. It is similar to those used by Tink
and Miscreant, but it doesn’t prefix the AEAD nonce with key material as the
payload key is 256 bits (enough even to provide a security margin in the
multi-target setting) and derived from both file key and nonce.

The payload can be streamed by decrypting or encrypting one chunk at a time.
Streaming decryption MUST signal an error if the end of file is reached without
successfully decrypting a final chunk.

The payload can be seeked by jumping ahead in chunk increments, and decrypting
the whole chunk that contains the seeked position. Seeking relatively to the end
of file MUST first decrypt and verify that the last chunk is a valid final
chunk.

The payload MUST NOT be modified without re-encrypting it as a new file with a
fresh nonce.

Native recipient types

This document specifies two core age recipient types: an asymmetric encryption
type based on X25519, and a passphrase encryption type based on scrypt.

The X25519 recipient type

An X25519 identity is generated as

identity = read(CSPRNG, 32)

and encoded as Bech32 with HRP AGE-SECRET-KEY-.

AGE-SECRET-KEY-1GFPYYSJZGFPYYSJZGFPYYSJZGFPYYSJZGFPYYSJZGFPYYSJZGFPQ4EGAEX

The corresponding recipient is computed as

recipient = X25519(identity, basepoint)

where X25519 is from RFC 7748, Section 5, and basepoint is the
Curve25519 base point from RFC 7748, Section 4.1.

The recipient is encoded as Bech32 with HRP age.

age1zvkyg2lqzraa2lnjvqej32nkuu0ues2s82hzrye869xeexvn73equnujwj

Note that Bech32 strings can only be all uppercase or all lowercase, but the
checksum is always computed over the lowercase string.

X25519 recipient stanza

An X25519 recipient stanza has two arguments.

ephemeral secret = read(CSPRNG, 32)
ephemeral share = X25519(ephemeral secret, basepoint)

salt = ephemeral share || recipient
info = "age-encryption.org/v1/X25519"
shared secret = X25519(ephemeral secret, recipient)
wrap key = HKDF-SHA-256(ikm = shared secret, salt, info)
body = ChaCha20-Poly1305(key = wrap key, plaintext = file key)

shared secret = X25519(identity, ephemeral share)

wrap key = scrypt(N = work factor, r = 8, p = 1, dkLen = 32,
    S = "age-encryption.org/v1/scrypt" || salt, P = passphrase)
body = ChaCha20-Poly1305(key = wrap key, plaintext = file key)