.TH SQ 1 1.3.0 "Sequoia PGP" "User Commands" .SH NAME sq\-encrypt \- Encrypt a message .SH SYNOPSIS .br \fBsq encrypt\fR [\fIOPTIONS\fR] \fIFILE\fR .SH DESCRIPTION Encrypt a message. .PP Encrypt a message for any number of recipients and with any number of passwords, optionally signing the message in the process. .PP The converse operation is `sq decrypt`. .PP `sq encrypt` respects the reference time set by the top\-level `\-\-time` argument. It uses the reference time when selecting encryption keys, and it sets the signature's creation time to the reference time. .PP .SH OPTIONS .SS "Subcommand options" .TP \fB\-\-binary\fR Emit binary data .TP \fB\-\-compression\fR=\fIKIND\fR Select compression scheme to use .IP [default: \fBpad\fR] .IP [possible values: \fBnone\fR, \fBpad\fR, \fBzip\fR, \fBzlib\fR, \fBbzip2\fR] .TP \fB\-\-encrypt\-for\fR=\fIPURPOSE\fR Select what kind of keys are considered for encryption .IP [default: \fBuniversal\fR] .IP [possible values: \fBtransport\fR, \fBstorage\fR, \fBuniversal\fR] .TP \fB\-\-for\fR=\fIFINGERPRINT|KEYID\fR Use certificates with the specified fingerprint or key ID .TP \fB\-\-for\-email\fR=\fIEMAIL\fR Use certificates where a user ID includes the specified email address .TP \fB\-\-for\-file\fR=\fIPATH\fR Read certificates from PATH .TP \fB\-\-for\-self\fR Encrypt the message for yourself .IP This adds the certificates listed in the configuration file under `encrypt.for\-self` to the list of recipients. This can be used to make sure that you yourself can decrypt the message. .IP Currently, the list of certificates to be added is empty. .TP \fB\-\-for\-userid\fR=\fIUSERID\fR Use certificates with the specified user ID .TP \fB\-\-output\fR=\fIFILE\fR Write to FILE or stdout if omitted .IP [default: \fB\-\fR] .TP \fB\-\-profile\fR=\fIPROFILE\fR Select the default OpenPGP standard for the encryption container .IP When encrypting for certificates, the encryption container is selected based on the stated preferences of the recipients. However, if there is no guidance, for example because the message is encrypted only with passwords, sq falls back to this profile. .IP As OpenPGP evolves, new versions will become available. This option selects the version of OpenPGP to use for encrypting messages if the version can not be inferred otherwise. .IP Currently, sq supports two profiles: RFC9580 and RFC4880. Currently, the default is RFC4880. However, once support for RFC9580 is rolled out further, the default will change in a future version of sq. .IP The default can be changed in the configuration file using the setting `key.generate.profile`. .IP [default: \fBrfc4880\fR] .IP [possible values: \fBrfc9580\fR, \fBrfc4880\fR] .TP \fB\-\-set\-metadata\-filename\fR=\fISET_METADATA_FILENAME\fR Set the filename of the encrypted file as metadata .IP Do note, that this metadata is not signed and as such relying on it \- on sender or receiver side \- is generally considered dangerous. .TP \fB\-\-signature\-notation\fR \fINAME\fR \fIVALUE\fR Add a notation to the signature .IP A user\-defined notation's name must be of the form `name@a.domain.you.control.org`. If the notation's name starts with a `!`, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable. .TP \fB\-\-signer\fR=\fIFINGERPRINT|KEYID\fR Sign the message using the key with the specified fingerprint or key ID .TP \fB\-\-signer\-email\fR=\fIEMAIL\fR Sign the message using the key where a user ID includes the specified email address .TP \fB\-\-signer\-file\fR=\fIPATH\fR Sign the message using the key read from PATH .TP \fB\-\-signer\-self\fR Sign using your default signer keys .IP This adds the certificates listed in the configuration file under `sign.signer\-self` to the list of signer keys. .IP Currently, the list of keys to be added is empty. .TP \fB\-\-signer\-userid\fR=\fIUSERID\fR Sign the message using the key with the specified user ID .TP \fB\-\-use\-expired\-subkey\fR Fall back to expired encryption subkeys .IP If a certificate has only expired encryption\-capable subkeys, fall back to using the one that expired last .TP \fB\-\-with\-password\fR Prompt to add a password to encrypt with .IP When using this option, the user is asked to provide a password, which is used to encrypt the message. This option can be provided more than once to provide more than one password. The encrypted data can afterwards be decrypted with either one of the recipient's keys, or one of the provided passwords. .TP \fB\-\-with\-password\-file\fR=\fIPATH\fR File containing password to encrypt the message .IP Note that the entire key file will be used as the password including any surrounding whitespace like a trailing newline. .IP This option can be provided more than once to provide more than one password. The encrypted data can afterwards be decrypted with either one of the recipient's keys, or one of the provided passwords. .TP \fB\-\-without\-signature\fR Do not sign the message .TP \fIFILE\fR Read from FILE or stdin if FILE is '\-' .IP [default: \fB\-\fR] .SS "Global options" See \fBsq\fR(1) for a description of the global options. .SH EXAMPLES .PP .PP Encrypt a file for a recipient given by fingerprint. .PP .nf .RS sq encrypt \-\-for=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \\ .RE .RS .RS \-\-signer\-email=juliet@example.org document.txt .RE .RE .PP .fi .PP Encrypt a file for a recipient given by email. .PP .nf .RS sq encrypt \-\-for\-email=alice@example.org \\ .RE .RS .RS \-\-signer\-email=juliet@example.org document.txt .RE .RE .fi .SH "SEE ALSO" .nh \fBsq\fR(1). .hy .PP For the full documentation see . .SH VERSION 1.3.0