Encrypting and decrypting files

Encrypt and decrypt a file

Encryption

sq encrypt takes data from a file or from STDIN and encrypts it using key material from certificates passed to it.

If you encrypt a file for someone else's User ID and want to be able to read it afterwards, to also add your own User ID.

Certificates for encryption - the recipients - can be selected by:

--for $FINGERPRINT - select the certificate identified by $FINGERPRINT
--for-email $EMAIL - select all certificates with User IDs containing $EMAIL
--for-userid $USERID - select all certificates with User ID $USERID
--for-file $FILE - use the certificates in $FILE

One thing to keep in mind: If you use --for-email or --for-userid, sq only considers certificates which are authenticated. If you want to use an unauthenticated certificate, you can use the fingerprint as selector (as fingerprints are self-authenticating) or --for-file.

$ sq encrypt --for-email alice@example.com message.txt --output message.pgp

This encrypts the file message.txt using any certificate containing the email alice@example.com, the result is written to message.pgp. Without --output the encrypted file is printed to STDOUT.

$ sq encrypt --for $FINGERPRINT message.txt --output message.pgp

Does the same, but selects the certificate used for encryption by its fingerprint.

You can create an encrypted file using just a password by providing --with-password - sq will prompt you for the password.

All this can be combined:

$ sq encrypt --for $FINGERPRINT \
    --for-email alice@example.com \
    --for-userid "Bob Example" \
    --with-password \
    message.txt --output message.pgp

The input - the message to encrypt - does not have to be in a file. If the file is missing in parameter list, the message is taken from STDIN.

$ echo "Hello world" | sq encrypt --for $FINGERPRINT
-----BEGIN PGP MESSAGE-----

wV4D+zMBYd4zQtASAQdAM/WW6LvAEEc7SdDEYgo0s38DtywJEB5A8XIt1JhzbTcw
WMqpUI3xbb4ZBqWK9R8/DyIAOqAO1rH55vkdU63OTkj4WKo6f6c8lfMxD8JvYaGV
0j0BMEm+mp706Kpg2Ac/f3Hdn9IHb+jbeCUH/Rem2y+Wr9PrOPyL6vc1MFhCTrd+
9a2XDB3avQcYruJBSxmL
=IX5I
-----END PGP MESSAGE-----

Encrypt and sign

When encrypting a message, adding a signature works as follows:

sq encrypt --signer $FINGERPRINT --for-email alice@example.com`

or --signer-file $FILE if the signing key is in a file.

Decryption

Decrypting an encrypted file and writing it to a file works as follows:

$ sq decrypt message.pgp --output message.txt

As the encrypted message (usually) contains the ids used during encryption, decryption needs no further help to select the right key.