A new open-source tool called coldkey solves a critical problem for users of age encryption: key loss equals permanent data loss. The tool generates post-quantum ML-KEM-768 and X25519 cryptographic keys with printable HTML backups featuring QR codes. Users can print and physically store their encryption keys, ensuring access survives even if all digital copies are destroyed.

Installation supports multiple platforms via Homebrew, Docker, or Go install. The tool emphasizes security with container hardening flags including network isolation, read-only filesystem, and dropped Linux capabilities. Files are written with restrictive permissions (0600), synced to disk, and temporary data is securely shredded using 3-pass overwrites.

Docker deployments automatically apply --network none, --read-only, --cap-drop ALL, and optional IPC_LOCK for swap protection. The generated HTML includes raw key text and SHA-256 checksums for manual recovery. While Go's garbage collector limits perfect memory clearing, the tool uses best-effort secure zeroing. Available under MIT license on GitHub.