AGE-PLUGIN-BATCHPASS(1) User Commands AGE-PLUGIN-BATCHPASS(1)
age-plugin-batchpass - non-interactive passphrase encryption plugin
for age(1)
age -e -j batchpass
age -d -j batchpass
age-plugin-batchpass is an age(1) plugin that enables non-interactive
passphrase-based encryption and decryption using environment
variables.
This functionality is not built into the age CLI because most
applications should use native keys instead of scripting
passphrase-based encryption.
Humans are notoriously bad at remembering and generating strong
passphrases. age uses scrypt to partially mitigate this, which is
necessarily very slow.
If a computer will be doing the remembering anyway, you can and
should use native keys instead. There is no need to manage separate
public and private keys, you encrypt directly to the private key:
$ age-keygen -o key.txt
$ age -e -i key.txt file.txt > file.txt.age
$ age -d -i key.txt file.txt.age > file.txt
Likewise, you can store a native identity string in an environment
variable or through your CI secrets manager and use it to encrypt and
decrypt files non-interactively:
$ export AGE_SECRET=$(age-keygen)
$ age -e -i <(echo "$AGE_SECRET") file.txt > file.txt.age
$ age -d -i <(echo "$AGE_SECRET") file.txt.age > file.txt
The age CLI also natively supports passphrase-encrypted identity
files, so you can use that functionality to non-interactively encrypt
multiple files such that you will be able to decrypt them later by
entering the same passphrase:
$ age-keygen -pq | age -p -o encrypted-identity.txt
Public key: age1pq1cd[... 1950 more characters ...]
Enter passphrase (leave empty to autogenerate a secure one):
age: using autogenerated passphrase "eternal-erase-keen-suffer-fog-exclude-huge-scorpion-escape-scrub"
$ age -r age1pq1cd[... 1950 more characters ...] file.txt > file.txt.age
$ age -d -i encrypted-identity.txt file.txt.age > file.txt
Enter passphrase for identity file "encrypted-identity.txt":
Finally, when using this plugin care should be taken not to let the
password be persisted in the shell history or leaked to other users
on multi-user systems.
AGE_PASSPHRASE
The passphrase to use for encryption or decryption. Mutually
exclusive with AGE_PASSPHRASE_FD.
AGE_PASSPHRASE_FD
A file descriptor number to read the passphrase from. Trailing
newlines are stripped from the file contents. Mutually
exclusive with AGE_PASSPHRASE.
AGE_PASSPHRASE_WORK_FACTOR
The scrypt work factor to use when encrypting. Must be between
1 and 30. Default is 18. Higher values are more secure but
slower.
AGE_PASSPHRASE_MAX_WORK_FACTOR
The maximum scrypt work factor to accept when decrypting. Must
be between 1 and 30. Default is 30. Can be used to avoid very
slow decryptions.
Encrypt a file with a passphrase:
$ AGE_PASSPHRASE=secret age -e -j batchpass file.txt > file.txt.age
Decrypt a file with a passphrase:
$ AGE_PASSPHRASE=secret age -d -j batchpass file.txt.age > file.txt
Read the passphrase from a file descriptor:
$ AGE_PASSPHRASE_FD=3 age -e -j batchpass file.txt 3< passphrase.txt > file.txt.age
age(1)
Filippo Valsorda age@filippo.io
December 2025 AGE-PLUGIN-BATCHPASS(1)
NAME
age-plugin-batchpass - non-interactive passphrase encryption plugin
for age(1)
SYNOPSIS
age -e -j batchpass
age -d -j batchpass
DESCRIPTION
age-plugin-batchpass is an age(1) plugin that enables non-interactive
passphrase-based encryption and decryption using environment
variables.
WARNING
This functionality is not built into the age CLI because most
applications should use native keys instead of scripting
passphrase-based encryption.
Humans are notoriously bad at remembering and generating strong
passphrases. age uses scrypt to partially mitigate this, which is
necessarily very slow.
If a computer will be doing the remembering anyway, you can and
should use native keys instead. There is no need to manage separate
public and private keys, you encrypt directly to the private key:
$ age-keygen -o key.txt
$ age -e -i key.txt file.txt > file.txt.age
$ age -d -i key.txt file.txt.age > file.txt
Likewise, you can store a native identity string in an environment
variable or through your CI secrets manager and use it to encrypt and
decrypt files non-interactively:
$ export AGE_SECRET=$(age-keygen)
$ age -e -i <(echo "$AGE_SECRET") file.txt > file.txt.age
$ age -d -i <(echo "$AGE_SECRET") file.txt.age > file.txt
The age CLI also natively supports passphrase-encrypted identity
files, so you can use that functionality to non-interactively encrypt
multiple files such that you will be able to decrypt them later by
entering the same passphrase:
$ age-keygen -pq | age -p -o encrypted-identity.txt
Public key: age1pq1cd[... 1950 more characters ...]
Enter passphrase (leave empty to autogenerate a secure one):
age: using autogenerated passphrase "eternal-erase-keen-suffer-fog-exclude-huge-scorpion-escape-scrub"
$ age -r age1pq1cd[... 1950 more characters ...] file.txt > file.txt.age
$ age -d -i encrypted-identity.txt file.txt.age > file.txt
Enter passphrase for identity file "encrypted-identity.txt":
Finally, when using this plugin care should be taken not to let the
password be persisted in the shell history or leaked to other users
on multi-user systems.
ENVIRONMENT
AGE_PASSPHRASE
The passphrase to use for encryption or decryption. Mutually
exclusive with AGE_PASSPHRASE_FD.
AGE_PASSPHRASE_FD
A file descriptor number to read the passphrase from. Trailing
newlines are stripped from the file contents. Mutually
exclusive with AGE_PASSPHRASE.
AGE_PASSPHRASE_WORK_FACTOR
The scrypt work factor to use when encrypting. Must be between
1 and 30. Default is 18. Higher values are more secure but
slower.
AGE_PASSPHRASE_MAX_WORK_FACTOR
The maximum scrypt work factor to accept when decrypting. Must
be between 1 and 30. Default is 30. Can be used to avoid very
slow decryptions.
EXAMPLES
Encrypt a file with a passphrase:
$ AGE_PASSPHRASE=secret age -e -j batchpass file.txt > file.txt.age
Decrypt a file with a passphrase:
$ AGE_PASSPHRASE=secret age -d -j batchpass file.txt.age > file.txt
Read the passphrase from a file descriptor:
$ AGE_PASSPHRASE_FD=3 age -e -j batchpass file.txt 3< passphrase.txt > file.txt.age
SEE ALSO
age(1)
AUTHORS
Filippo Valsorda age@filippo.io
December 2025 AGE-PLUGIN-BATCHPASS(1)