What does age do, and why so small?
age encrypts a file to a recipient. You hold a key pair: a public recipient string you can share, and a private key you keep. Anything encrypted to the public recipient can only be opened with the matching private key. That is the whole model. There is no certificate authority, no web of trust, no keyring daemon to fight. The deliberate smallness is the feature: a tool you can reason about in a sentence is a tool you can wire into a script and trust to behave the same way every night.
The typical use in a self-hosted stack is the last step before data leaves the machine. A backup job tars up the directories that matter, pipes the result through age to a single recipient key, and writes an encrypted file you can store on a USB stick or a rented disk without trusting that disk at all.
Where does age stop?
age encrypts files at rest. It is not full-disk encryption, so it does not protect a whole running system the way LUKS (Linux Unified Key Setup) does, and it is not a transport layer, so it does not secure a live connection the way TLS (Transport Layer Security) does. It also does not sign anything: encrypting a file proves nobody else can read it, not who wrote it.
One operational caveat worth the scar tissue: if the age binary is not installed, a poorly written script can skip the encrypt step and carry on as if it worked. The data goes off-site unencrypted and nothing complains. Check that the tool is actually present before you trust the pipeline that depends on it.