sq encrypt - Encrypt a message
sq encrypt [OPTIONS] FILE
Encrypt a message.
Encrypt a message for any number of recipients and with any number
of passwords, optionally signing the message in the process.
The converse operation is `sq decrypt`.
`sq encrypt` respects the reference time set by the top-level
`--time` argument. It uses the reference time when selecting encryption
keys, and it sets the signature's creation time to the reference time.
- --binary
- Emit binary data
- --compression=KIND
- Select compression scheme to use
- [default: none]
- [possible values: none, zip, zlib, bzip2]
- --encrypt-for=PURPOSE
- Select what kind of keys are considered for encryption. 'transport'
selects subkeys marked as suitable for transport encryption, 'storage'
selects those for encrypting data at rest, and 'universal' selects all
encryption-capable subkeys.
- [default: universal]
- [possible values: transport, storage, universal]
- --for=FINGERPRINT|KEYID
- Use certificates with the specified fingerprint or key ID
- --for-email=EMAIL
- Use certificates where a user ID includes the specified email address
- --for-file=PATH
- Read certificates from PATH
- --for-userid=USERID
- Use certificates with the specified user ID
- --output=FILE
- Write to FILE or stdout if omitted
- [default: -]
- --set-metadata-filename=SET_METADATA_FILENAME
- Set the filename of the encrypted file as metadata. Do note, that this
metadata is not signed and as such relying on it - on sender or receiver
side - is generally considered dangerous.
- --signature-notation
NAME VALUE
- Add a notation to the signature. A user-defined notation's name must be of
the form `name@a.domain.you.control.org`. If the notation's name starts
with a `!`, then the notation is marked as being critical. If a consumer
of a signature doesn't understand a critical notation, then it will ignore
the signature. The notation is marked as being human readable.
- --signer=FINGERPRINT|KEYID
- Sign the message using the key with the specified fingerprint or key
ID
- --signer-email=EMAIL
- Sign the message using the key where a user ID includes the specified
email address
- --signer-file=PATH
- Sign the message using the key read from PATH
- --signer-userid=USERID
- Sign the message using the key with the specified user ID
- --use-expired-subkey
- If a certificate has only expired encryption-capable subkeys, fall back to
using the one that expired last
- --with-password
- Prompt to add a password to encrypt with. When using this option, the user
is asked to provide a password, which is used to encrypt the message. This
option can be provided more than once to provide more than one password.
The encrypted data can afterwards be decrypted with either one of the
recipient's keys, or one of the provided passwords.
- --with-password-file=PATH
- File containing password to encrypt the message.
- Note that the entire key file will be used as the password including any
surrounding whitespace like a trailing newline.
- This option can be provided more than once to provide more than one
password. The encrypted data can afterwards be decrypted with either one
of the recipient's keys, or one of the provided passwords.
-
FILE
- Read from FILE or stdin if FILE is '-'
- [default: -]
See sq(1) for a description of the global options.
Encrypt a file for a recipient given by fingerprint.
sq encrypt --for EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
Encrypt a file for a recipient given by email.
sq encrypt --for-email alice@example.org document.txt
sq(1).
For the full documentation see
<https://book.sequoia-pgp.org>.
0.40.0 (sequoia-openpgp 1.21.2)