Provided by: sq_1.2.0-1_amd64 
NAME
sq encrypt - Encrypt a message
SYNOPSIS
sq encrypt [OPTIONS] FILE
DESCRIPTION
Encrypt a message.
Encrypt a message for any number of recipients and with any number of passwords, optionally signing the
message in the process.
The converse operation is `sq decrypt`.
`sq encrypt` respects the reference time set by the top-level `--time` argument. It uses the reference
time when selecting encryption keys, and it sets the signature's creation time to the reference time.
OPTIONS
Subcommand options
--binary
Emit binary data
--compression=KIND
Select compression scheme to use
[default: none]
[possible values: none, zip, zlib, bzip2]
--encrypt-for=PURPOSE
Select what kind of keys are considered for encryption
[default: universal]
[possible values: transport, storage, universal]
--for=FINGERPRINT|KEYID
Use certificates with the specified fingerprint or key ID
--for-email=EMAIL
Use certificates where a user ID includes the specified email address
--for-file=PATH
Read certificates from PATH
--for-self
Encrypt the message for yourself
This adds the certificates listed in the configuration file under `encrypt.for-self` to the list
of recipients. This can be used to make sure that you yourself can decrypt the message.
Currently, the list of certificates to be added is empty.
--for-userid=USERID
Use certificates with the specified user ID
--output=FILE
Write to FILE or stdout if omitted
[default: -]
--profile=PROFILE
Select the default OpenPGP standard for the encryption container
When encrypting for certificates, the encryption container is selected based on the stated
preferences of the recipients. However, if there is no guidance, for example because the message
is encrypted only with passwords, sq falls back to this profile.
As OpenPGP evolves, new versions will become available. This option selects the version of
OpenPGP to use for encrypting messages if the version can not be inferred otherwise.
Currently, sq supports only one version: RFC4880. Consequently, this is the default. However,
there is already a newer version of the standard: RFC9580. And, the default will change in a
future version of sq.
The default can be changed in the configuration file using the setting `key.generate.profile`.
[default: rfc4880]
[possible values: rfc4880]
--set-metadata-filename=SET_METADATA_FILENAME
Set the filename of the encrypted file as metadata
Do note, that this metadata is not signed and as such relying on it - on sender or receiver side -
is generally considered dangerous.
--signature-notation NAME VALUE
Add a notation to the signature
A user-defined notation's name must be of the form `name@a.domain.you.control.org`. If the
notation's name starts with a `!`, then the notation is marked as being critical. If a consumer
of a signature doesn't understand a critical notation, then it will ignore the signature. The
notation is marked as being human readable.
--signer=FINGERPRINT|KEYID
Sign the message using the key with the specified fingerprint or key ID
--signer-email=EMAIL
Sign the message using the key where a user ID includes the specified email address
--signer-file=PATH
Sign the message using the key read from PATH
--signer-self
Sign using your default signer keys
This adds the certificates listed in the configuration file under `sign.signer-self` to the list
of signer keys.
Currently, the list of keys to be added is empty.
--signer-userid=USERID
Sign the message using the key with the specified user ID
--use-expired-subkey
Fall back to expired encryption subkeys
If a certificate has only expired encryption-capable subkeys, fall back to using the one that
expired last
--with-password
Prompt to add a password to encrypt with
When using this option, the user is asked to provide a password, which is used to encrypt the
message. This option can be provided more than once to provide more than one password. The
encrypted data can afterwards be decrypted with either one of the recipient's keys, or one of the
provided passwords.
--with-password-file=PATH
File containing password to encrypt the message
Note that the entire key file will be used as the password including any surrounding whitespace
like a trailing newline.
This option can be provided more than once to provide more than one password. The encrypted data
can afterwards be decrypted with either one of the recipient's keys, or one of the provided
passwords.
--without-signature
Do not sign the message
FILE Read from FILE or stdin if FILE is '-'
[default: -]
Global options
See sq(1) for a description of the global options.
EXAMPLES
Encrypt a file for a recipient given by fingerprint.
sq encrypt --for=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
--signer-email=juliet@example.org document.txt
Encrypt a file for a recipient given by email.
sq encrypt --for-email=alice@example.org \
--signer-email=juliet@example.org document.txt
SEE ALSO
sq(1).
For the full documentation see <https://book.sequoia-pgp.org>.
VERSION
1.2.0 (sequoia-openpgp 1.22.0)
Sequoia PGP 1.2.0 SQ(1)