enchive - personal archive encryption
enchive |
[-a|-A] [-e] [-p pubkey] [-s seckey] [--version] [--help] |
keygen
[-d[N]] [-e] [-f] [-i]
[-k N] [-u]
archive [-d]
extract [-d]
fingerprint
enchive is a program to encrypt files to yourself for long-term archival. It’s a focused, simple alternative to more complex tools such as GnuPG or encrypted filesystems. Like GnuPG, you can safely encrypt files on systems that you don’t trust with your secret key.
Files are secured with ChaCha20, Curve25519, and HMAC-SHA256.
-aseconds, --agent[=seconds]
Runs the key agent for awhile after successfully reading the passphrase. The agent will remain resident in memory until a period of inactivity passes. Default is 900 seconds (15 minutes).
-A, --no-agent
Do not start the key agent (default).
-eprogram, --pinentry[=program]
Read passphrases using the system’s pinentry program. By default Enchive uses the program named "pinentry".
-p, --pubkey file
Specifies the public key file to use for encryption.
-s, --seckey file
Specifies the secret key file to use for decryption.
--version
Print version information.
--help |
Print a synopsis of the command line interface. |
Any unique
prefix for a command is accepted. For example, the command
a would mean archive.
keygen [OPTION]...
Generates a new keypair either from system entropy or a passphrase.
-d[N], --derive[=N]
Derives the secret key from a passphrase. The key will be derived from the passphrase using difficulty exponent N. Default is 29.
-e, --edit
Edits the protection passphrase on an existing key. This also regenerates the public key file from the secret key.
-f, --force
Overwrites any existing keypair without prompting.
-i, --fingerprint
Prints the public key fingerprint after generation or editing.
-k N, --iterations N
Sets the difficulty exponent for deriving the protection key from the protection key passphrase. Default is 25.
-u, --plain
Do not use a protection key, and instead store the secret key unencrypted on the disk. Consider using the key agent instead of this option.
archive [-d|--delete] [INPUT [OUTPUT]]
Encrypts a single file for archival using only the public key. If no output filename is given, the output filename will be the input filename with a .enchive suffix. Except for --delete, the original file is untouched. If no filenames are given, encrypts standard input to standard output.
-d, --delete
Delete the original input file after success.
extract [-d|--delete] [INPUT [OUTPUT]]
Decrypt a single file from archival using the secret key. If no output filename is given, the output filename will be the input filename with the .enchive suffix removed. Without an output filename, it is an error for the input to lack this suffix. If no filenames are given, decrypt standard input to standard output.
-d, --delete
Delete the original input file after success.
fingerprint
Print the public key fingerprint to standard output.
TMPDIR |
If $XDG_RUNTIME_DIR is unset, the directory in which to create the agent socket. Default is /tmp. |
XDG_CONFIG_HOME
The directory under which keys will be created and read. Default is $HOME/.config.
XDG_RUNTIME_DIR
The directory in which to create the agent socket.
$XDG_CONFIG_HOME/enchive/enchive.pub
The file holding the public key used for encrypting files.
$XDG_CONFIG_HOME/enchive/enchive.sec
The file holding the secret key used for decrypting files.
enchive keygen --derive
Generate a new keypair from a passphrase prompt.
enchive archive -d mydata.tar.gz
Encrypt mydata.tar.gz to mydata.tar.gz.enchive and delete the unencrypted file.
enchive extract mydata.tar.gz.enchive
Decrypt mydata.tar.gz.enchive to mydata.tar.gz, preserving the original file.
gpg(1)
https://github.com/skeeto/enchive
http://nullprogram.com/blog/2017/03/12/