PostQuantum.FileEncryption.Tool
1.4.0
See the version list below for details.
Requires NuGet 6.0.0 or higher.
dotnet tool install --global PostQuantum.FileEncryption.Tool --version 1.4.0
dotnet new tool-manifest
dotnet tool install --local PostQuantum.FileEncryption.Tool --version 1.4.0
#tool dotnet:?package=PostQuantum.FileEncryption.Tool&version=1.4.0
nuke :add-package PostQuantum.FileEncryption.Tool --version 1.4.0
pqfe — file encryption and signing from the command line
Encrypt, decrypt, sign, and verify files without writing a line of C#. pqfe is the
official command-line frontend for
PostQuantum.FileEncryption:
authenticated AES-256-GCM, PBKDF2-HMAC-SHA256 or Argon2id passphrase derivation, atomic
output files, and fail-closed decryption — a wrong passphrase and a tampered file produce
the same error and emit no plaintext. Detached Ed25519 + ML-DSA-65 hybrid signatures add
who produced this file on top of it wasn't altered.
dotnet tool install -g PostQuantum.FileEncryption.Tool
Requires the .NET 10 runtime or later.
Usage
pqfe encrypt secrets.db secrets.db.pqfe # prompts for a passphrase (no echo)
pqfe decrypt secrets.db.pqfe secrets.db
For scripts and CI, read the passphrase from an environment variable instead of a prompt:
export PQFE_PASS='correct horse battery staple'
pqfe encrypt backup.tar backup.tar.pqfe --passphrase-env PQFE_PASS
pqfe decrypt backup.tar.pqfe backup.tar --passphrase-env PQFE_PASS
Sign a finished container (or any file) so recipients can prove who produced it:
pqfe keygen me.key # writes me.key (secret) + me.key.pub (share)
pqfe sign backup.tar.pqfe me.key # writes backup.tar.pqfe.sig
pqfe verify backup.tar.pqfe me.key.pub # exit 0 = authentic, 65 = reject
Options
| Option | Effect |
|---|---|
--argon2id |
Derive the key with Argon2id (memory-hard) instead of PBKDF2-HMAC-SHA256. Decryption reads the KDF from the container header — no flag needed. |
--passphrase-env VAR |
Read the passphrase from environment variable VAR instead of prompting. |
--signature PATH |
Detached-signature path for sign/verify (default: <input>.sig). |
Exit codes
Follow sysexits.h conventions so failures are scriptable: 0 ok, 64 usage,
65 data error (wrong passphrase, tampered/truncated ciphertext, or a signature that
does not verify — each deliberately indistinguishable within its class), 66 missing
input, 74 I/O error.
What it writes
Standard .pqfe v2 containers —
the format is FROZEN for the 1.x line and pinned by published cross-implementation
test vectors. Anything pqfe encrypts, the library (and any conforming implementation)
can decrypt, and vice versa.
Signatures are detached .sig sidecars
(Ed25519 + ML-DSA-65 — both must verify), produced by the
PostQuantum.FileEncryption.Signing
package the tool bundles.
pqfe covers passphrase encryption and detached signing. For public-key (recipient)
encryption — hybrid X25519 + ML-KEM-768, multi-recipient — use the
PostQuantum.FileEncryption.Hybrid
library package.
Source
Lives in the main repository at
samples/Pqfe.Cli,
built and published by the same release pipeline as the library: deterministic build,
CycloneDX SBOM, and SLSA-style build-provenance attestation on every release.
To God be the glory — 1 Corinthians 10:31.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
This package has no dependencies.
1.4.0 — tracks PostQuantum.FileEncryption 1.4.0 in lockstep; no changes to the tool's commands or behavior. The release adds cloud envelope-key providers to the library family (PostQuantum.FileEncryption.Aws and PostQuantum.FileEncryption.AzureKeyVault). No format change: the .pqfe v2 container format remains FROZEN for the 1.x line. See CHANGELOG.md.