diff --git a/.github/workflows/baseline-profile.yml b/.github/workflows/baseline-profile.yml
index 00876618..90c906d0 100644
--- a/.github/workflows/baseline-profile.yml
+++ b/.github/workflows/baseline-profile.yml
@@ -38,7 +38,9 @@ jobs:
         gradle-home-cache-cleanup: true
 
     - name: Decrypt secrets
-      run: scripts/signing-setup.sh "$ENCRYPT_KEY"
+      run: |
+        ./scripts/setup-age.sh
+        ./scripts/signing-setup.sh "$ENCRYPT_KEY"
       env:
         ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }}
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cf7cd757..84914a31 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -62,7 +62,9 @@ jobs:
         java-version: 18
 
     - name: Decrypt secrets
-      run: scripts/signing-setup.sh "$ENCRYPT_KEY"
+      run: |
+        ./scripts/setup-age.sh
+        ./scripts/signing-setup.sh "$ENCRYPT_KEY"
       env:
         ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }}
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 74699b66..966582f2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,7 +31,9 @@ jobs:
         cache-read-only: true
 
     - name: Decrypt secrets
-      run: scripts/signing-setup.sh "$ENCRYPT_KEY"
+      run: |
+        ./scripts/setup-age.sh
+        ./scripts/signing-setup.sh "$ENCRYPT_KEY"
       env:
         ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }}
 
diff --git a/scripts/setup-age.sh b/scripts/setup-age.sh
new file mode 100755
index 00000000..e48fb2d8
--- /dev/null
+++ b/scripts/setup-age.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+TEMP_DIR="$(mktemp -d)"
+BIN_DIR=""
+AGE_VERSION="v1.0.0"
+AGE_FILE=""
+
+case "$(uname)" in
+  Linux)
+    AGE_FILE="age-${AGE_VERSION}-linux-amd64.tar.gz"
+    BIN_DIR="${HOME}/.local/bin"
+    ;;
+  Darwin)
+    AGE_FILE="age-${AGE_VERSION}-darwin-amd64.tar.gz"
+    BIN_DIR="${HOME}/bin"
+    ;;
+  *) echo "Unsupported system: $(uname)"; exit 1 ;;
+esac
+
+pushd "${TEMP_DIR}"
+
+curl -L --silent --show-error --retry 3 --fail -o age.tar.gz "https://github.com/FiloSottile/age/releases/download/v1.0.0/${AGE_FILE:?}"
+tar xvf age.tar.gz
+rm age/LICENSE
+mkdir -p "${BIN_DIR}"
+mv -v age/age "${BIN_DIR}" && chmod +x "${BIN_DIR}/age"
+mv -v age/age-keygen "${BIN_DIR}" && chmod +x "${BIN_DIR}/age-keygen"
+
+popd
diff --git a/scripts/signing-setup.sh b/scripts/signing-setup.sh
index 64de677f..12500b0e 100755
--- a/scripts/signing-setup.sh
+++ b/scripts/signing-setup.sh
@@ -2,16 +2,20 @@
 
 set -euo pipefail
 
-ENCRYPT_KEY="${1:-}"
+ENCRYPT_KEY="${1}"
+TEMP_KEY="$(mktemp)"
 
-declare -A SECRETS
-SECRETS[secrets/keystore.cipher]=keystore.jks
-SECRETS[secrets/props.cipher]=keystore.properties
+echo "${ENCRYPT_KEY:?}" > "${TEMP_KEY}"
 
-if [[ -n "$ENCRYPT_KEY" ]]; then
-    for src in "${!SECRETS[@]}"; do
-      openssl enc -aes-256-cbc -md sha256 -pbkdf2 -d -in "${src}" -out "${SECRETS[${src}]}" -k "${ENCRYPT_KEY}"
-    done
-else
-    echo "Usage: ./signing-setup.sh <encryption key>"
-fi
+function decrypt() {
+  if ! command -v age 1>/dev/null; then
+    echo "age not installed"
+    exit 1
+  fi
+  SRC="${1}"
+  DST="${2}"
+  age --decrypt -i "${TEMP_KEY}" -o "${DST:?}" "${SRC:?}"
+}
+
+decrypt secrets/keystore.cipher keystore.jks
+decrypt secrets/props.cipher keystore.properties
diff --git a/secrets/keystore.cipher b/secrets/keystore.cipher
index 25249feb..4cc091cc 100644
Binary files a/secrets/keystore.cipher and b/secrets/keystore.cipher differ
diff --git a/secrets/props.cipher b/secrets/props.cipher
index ecabf815..a76abef6 100644
Binary files a/secrets/props.cipher and b/secrets/props.cipher differ