sq-encrypt - Man Page
Encrypt a message
Synopsis
sq encrypt [Options] FILE
Description
Encrypt a message.
Encrypt a message for any number of recipients and with any number of passwords, optionally signing the message in the process.
The converse operation is `sq decrypt`.
`sq encrypt` respects the reference time set by the top-level `--time` argument. It uses the reference time when selecting encryption keys, and it sets the signature's creation time to the reference time.
Options
Subcommand options
- --binary
Emit binary data
- --compression=KIND
Select compression scheme to use
[default: none]
[possible values: none, zip, zlib, bzip2]
- --encrypt-for=PURPOSE
Select what kind of keys are considered for encryption. 'transport' selects subkeys marked as suitable for transport encryption, 'storage' selects those for encrypting data at rest, and 'universal' selects all encryption-capable subkeys.
[default: universal]
[possible values: transport, storage, universal]
- --for=FINGERPRINT|KEYID
Use certificates with the specified fingerprint or key ID
- --for-email=EMAIL
Use certificates where a user ID includes the specified email address
- --for-file=PATH
Read certificates from PATH
- --for-userid=USERID
Use certificates with the specified user ID
- --output=FILE
Write to FILE or stdout if omitted
[default: -]
- --set-metadata-filename
Set the filename of the encrypted file as metadata. Do note, that this metadata is not signed and as such relying on it - on sender or receiver side - is generally considered dangerous.
- --set-metadata-time=TIME
Set time for encrypted file as metadata. Allows setting TIME either as ISO 8601 formatted string or by providing custom keywords. With `none`, the metadata is not set. With `file-creation`, the metadata is set to the file's creation timestamp. With `file-modification`, the metadata is set to the file's last modification timestamp. With `message-creation`, the metadata is set to the creation timestamp of the message for which the metadata is added. Do note, that this metadata is not signed and as such relying on it - on sender or receiver side - is generally considered dangerous.
[default: none]
- --signer=KEYID|FINGERPRINT
Sign the message using the specified key on the key store
- --signer-file=KEY_FILE
Sign the message using the key in KEY_FILE
- --use-expired-subkey
If a certificate has only expired encryption-capable subkeys, fall back to using the one that expired last
- --with-password
Prompt to add a password to encrypt with. When using this option, the user is asked to provide a password, which is used to encrypt the message. This option can be provided more than once to provide more than one password. The encrypted data can afterwards be decrypted with either one of the recipient's keys, or one of the provided passwords.
- --with-password-file=PATH
File containing password to encrypt the message.
Note that the entire key file will be used as the password including any surrounding whitespace like a trailing newline.
This option can be provided more than once to provide more than one password. The encrypted data can afterwards be decrypted with either one of the recipient's keys, or one of the provided passwords.
- FILE
Read from FILE or stdin if FILE is '-'
[default: -]
Global options
See sq(1) for a description of the global options.
Examples
Encrypt a file for a recipient given by fingerprint.
sq encrypt --for EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
document.txtEncrypt a file for a recipient given by email.
sq encrypt --for-email alice@example.org document.txt
See Also
For the full documentation see <https://book.sequoia-pgp.org>.
Version
0.39.0 (sequoia-openpgp 1.21.2)