PGP vs Age — when to pick the modern file encryption tool

Age (pronounced "ah-gay", from the Italian for "I am") was released in 2019 by Filippo Valsorda. It tackles a small, specific problem: encrypt this file so only the recipients can read it. PGP can do that too, alongside two dozen other things. The interesting question is whether the extra surface area is helping you or hurting you.

What each one does

Age does file encryption. That is it. No signatures, no web of trust, no key servers, no expiry dates, no subkeys, no MIME, no email integration. The format is one envelope type and one cipher: X25519 + ChaCha20-Poly1305.

PGP/OpenPGP does file encryption, message encryption, signatures, key certification, key revocation, multiple algorithms, multiple key types, key expiry, subkeys, smart card support, email integration, and a federated key discovery protocol. It is a kit. Age is a tool.

Cryptography

• Age — X25519 ECDH + ChaCha20-Poly1305 + HKDF. One algorithm choice, modern, no legacy modes.
• PGP — RSA / ElGamal / ECDH (multiple curves) + AES-128/192/256 / IDEA / 3DES / Camellia. Decades of legacy options that recipients' implementations may or may not support.
• Both are cryptographically sound at their default settings. Age has a smaller attack surface because it has fewer knobs.

Identity and discovery

Age identities are short ASCII strings: a public key looks like age1ql3z7hjy54... and the matching private key like AGE-SECRET-KEY-1.... There is no user ID, no email address, no expiry, no signature chain. Recipients exchange identities directly.

PGP keys carry user IDs (name + email), creation dates, expiry, signatures from other keys, and can be looked up by email on key servers (keys.openpgp.org, WKD). The metadata is what enables features like "encrypt to [email protected] without first asking Alice for her key" — but it is also what makes PGP key files large and the format complicated.

Signing

PGP signs. Age does not. Filippo's explicit position is that signing should be a separate tool (signify, minisign, ssh-keygen -Y sign). The argument is that mixing encryption and signing in one envelope is what made PGP's spec so big, and most users only need one of the two.

If you need to verify "this file came from Alice and was not modified," PGP gives you that in one operation. With Age you encrypt with Age and sign with something else. Two tools, one each, no overlap.

Ecosystem

• PGP — every Linux distro, every mail client that supports E2E, GitHub commit signing, package signing (apt, dnf), Keybase, decades of recipients who already have a key.
• Age — a single Go binary, a Rust port (rage), good Homebrew/apt packaging in modern distros, integration with sops for secrets management, growing but small. Recipients without Age installed cannot decrypt.

Recommendation

• Encrypting a file for a known technical recipient who has Age installed — Age. The format is small, the command is one line, the output is unambiguous.
• Encrypting a file for someone you have not corresponded with before — PGP. Age requires an out-of-band identity exchange; PGP can use a published email-bound public key.
• Email — PGP. Age has no email format and is not trying to.
• Encrypting secrets in a Git-managed config repo — Age via sops. PGP is overkill and the metadata footprint is annoying.
• Signing — neither tool covers both well. Use PGP if you want one tool for both, or pair Age with a dedicated signer (minisign, ssh-keygen -Y sign).

Age is the right answer if your problem is "encrypt this for a person I already have an identity for." PGP is the right answer if your problem is "encrypt this for a person I only have an email address for, or sign this so future readers can verify provenance." The two are not in competition; they are answers to different sentences.