Sequoia PGP Manual Pages

1.3.1

NAME

sq-encrypt - Encrypt a message

SYNOPSIS


sq encrypt [OPTIONS] FILE

DESCRIPTION

Encrypt a message.

Encrypt a message for any number of recipients and with any number of passwords, optionally signing the message in the process.

The converse operation is sq decrypt.

sq encrypt respects the reference time set by the top-level --time argument. It uses the reference time when selecting encryption keys, and it sets the signature's creation time to the reference time.

OPTIONS

Subcommand options

--binary

Emit binary data

--compression=KIND

Select compression scheme to use

[default: pad]

[possible values: none, pad, zip, zlib, bzip2]

--encrypt-for=PURPOSE

Select what kind of keys are considered for encryption

[default: universal]

[possible values: transport, storage, universal]

--for=FINGERPRINT|KEYID

Use certificates with the specified fingerprint or key ID

--for-email=EMAIL

Use certificates where a user ID includes the specified email address

--for-file=PATH

Read certificates from PATH

--for-self

Encrypt the message for yourself

This adds the certificates listed in the configuration file under encrypt.for-self to the list of recipients. This can be used to make sure that you yourself can decrypt the message.

Currently, the list of certificates to be added is empty.

--for-userid=USERID

Use certificates with the specified user ID

--output=FILE

Write to FILE or stdout if omitted

[default: -]

--profile=PROFILE

Select the default OpenPGP standard for the encryption container

When encrypting for certificates, the encryption container is selected based on the stated preferences of the recipients. However, if there is no guidance, for example because the message is encrypted only with passwords, sq falls back to this profile.

As OpenPGP evolves, new versions will become available. This option selects the version of OpenPGP to use for encrypting messages if the version can not be inferred otherwise.

Currently, sq supports two profiles: RFC9580 and RFC4880. Currently, the default is RFC4880. However, once support for RFC9580 is rolled out further, the default will change in a future version of sq.

The default can be changed in the configuration file using the setting key.generate.profile.

[default: rfc4880]

[possible values: rfc9580, rfc4880]

--set-metadata-filename=SET_METADATA_FILENAME

Set the filename of the encrypted file as metadata

Do note, that this metadata is not signed and as such relying on it - on sender or receiver side - is generally considered dangerous.

--signature-notation NAME VALUE

Add a notation to the signature

A user-defined notation's name must be of the form name@a.domain.you.control.org. If the notation's name starts with a !, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable.

--signer=FINGERPRINT|KEYID

Sign the message using the key with the specified fingerprint or key ID

--signer-email=EMAIL

Sign the message using the key where a user ID includes the specified email address

--signer-file=PATH

Sign the message using the key read from PATH

--signer-self

Sign using your default signer keys

This adds the certificates listed in the configuration file under sign.signer-self to the list of signer keys.

Currently, the list of keys to be added is empty.

--signer-userid=USERID

Sign the message using the key with the specified user ID

--use-expired-subkey

Fall back to expired encryption subkeys

If a certificate has only expired encryption-capable subkeys, fall back to using the one that expired last

--with-password

Prompt to add a password to encrypt with

When using this option, the user is asked to provide a password, which is used to encrypt the message. This option can be provided more than once to provide more than one password. The encrypted data can afterwards be decrypted with either one of the recipient's keys, or one of the provided passwords.

--with-password-file=PATH

File containing password to encrypt the message

Note that the entire key file will be used as the password including any surrounding whitespace like a trailing newline.

This option can be provided more than once to provide more than one password. The encrypted data can afterwards be decrypted with either one of the recipient's keys, or one of the provided passwords.

--without-signature

Do not sign the message

FILE

Read from FILE or stdin if FILE is '-'

[default: -]

Global options

See sq(1) for a description of the global options.

EXAMPLES

Encrypt a file for a recipient given by fingerprint.

sq encrypt --for=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--signer-email=juliet@example.org document.txt

Encrypt a file for a recipient given by email.

sq encrypt --for-email=alice@example.org \
--signer-email=juliet@example.org document.txt

SEE ALSO

sq(1).

For the full documentation see <https://book.sequoia-pgp.org/>.

VERSION

1.3.1