PostQuantum.FileEncryption.Tool
1.4.1
Requires NuGet 6.0.0 or higher.
dotnet tool install --global PostQuantum.FileEncryption.Tool --version 1.4.1
dotnet new tool-manifest
dotnet tool install --local PostQuantum.FileEncryption.Tool --version 1.4.1
#tool dotnet:?package=PostQuantum.FileEncryption.Tool&version=1.4.1
nuke :add-package PostQuantum.FileEncryption.Tool --version 1.4.1
pqfe — file encryption and signing from the command line
Encrypt, decrypt, sign, and verify files without writing a line of C#. pqfe is the
official command-line frontend for
PostQuantum.FileEncryption:
authenticated AES-256-GCM, PBKDF2-HMAC-SHA256 or Argon2id passphrase derivation, atomic
output files, and fail-closed decryption — a wrong passphrase and a tampered file produce
the same error and emit no plaintext. Detached Ed25519 + ML-DSA-65 hybrid signatures add
who produced this file on top of it wasn't altered.
dotnet tool install -g PostQuantum.FileEncryption.Tool
Requires the .NET 10 runtime or later.
Usage
pqfe encrypt secrets.db secrets.db.pqfe # prompts for a passphrase (no echo)
pqfe decrypt secrets.db.pqfe secrets.db
For scripts and CI, read the passphrase from an environment variable instead of a prompt:
export PQFE_PASS='correct horse battery staple'
pqfe encrypt backup.tar backup.tar.pqfe --passphrase-env PQFE_PASS
pqfe decrypt backup.tar.pqfe backup.tar --passphrase-env PQFE_PASS
Sign a finished container (or any file) so recipients can prove who produced it:
pqfe keygen me.key # writes me.key (secret) + me.key.pub (share)
pqfe sign backup.tar.pqfe me.key # writes backup.tar.pqfe.sig
pqfe verify backup.tar.pqfe me.key.pub # exit 0 = authentic, 65 = reject
Options
| Option | Effect |
|---|---|
--argon2id |
Derive the key with Argon2id (memory-hard) instead of PBKDF2-HMAC-SHA256. Decryption reads the KDF from the container header — no flag needed. |
--passphrase-env VAR |
Read the passphrase from environment variable VAR instead of prompting. |
--signature PATH |
Detached-signature path for sign/verify (default: <input>.sig). |
Exit codes
Follow sysexits.h conventions so failures are scriptable: 0 ok, 64 usage,
65 data error (wrong passphrase, tampered/truncated ciphertext, or a signature that
does not verify — each deliberately indistinguishable within its class), 66 missing
input, 74 I/O error.
What it writes
Standard .pqfe v2 containers —
the format is FROZEN for the 1.x line and pinned by published cross-implementation
test vectors. Anything pqfe encrypts, the library (and any conforming implementation)
can decrypt, and vice versa.
Signatures are detached .sig sidecars
(Ed25519 + ML-DSA-65 — both must verify), produced by the
PostQuantum.FileEncryption.Signing
package the tool bundles.
pqfe covers passphrase encryption and detached signing. For public-key (recipient)
encryption — hybrid X25519 + ML-KEM-768, multi-recipient — use the
PostQuantum.FileEncryption.Hybrid
library package.
Source
Lives in the main repository at
samples/Pqfe.Cli,
built and published by the same release pipeline as the library: deterministic build,
CycloneDX SBOM, and SLSA-style build-provenance attestation on every release.
To God be the glory — 1 Corinthians 10:31.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
This package has no dependencies.
1.4.1 — tracks PostQuantum.FileEncryption 1.4.1 in lockstep. Documentation and packaging patch only: corrects README install snippets and version references that still cited 1.3.0. No changes to the tool's commands or behavior. No change to the .pqfe v2 container format, which remains FROZEN for the 1.x line. See CHANGELOG.md.