NAME

enchive - personal archive encryption

SYNOPSIS

enchive [-a|-A] [-e] [-p pubkey] [-s seckey] [--version] [--help]

keygen [-d[N]] [-e] [-f] [-i] [-k N] [-u]
archive [-d]
extract [-d]
fingerprint

DESCRIPTION

enchive is a program to encrypt files to yourself for long-term archival. It's a focused, simple alternative to more complex tools such as GnuPG or encrypted filesystems. Like GnuPG, you can safely encrypt files on systems that you don't trust with your secret key.

Files are secured with ChaCha20, Curve25519, and HMAC-SHA256.

OPTIONS

-aseconds, --agent[=seconds]: Runs the key agent for awhile after successfully reading the passphrase. The agent will remain resident in memory until a period of inactivity passes. Default is 900 seconds (15 minutes).
-A, --no-agent: Do not start the key agent (default).
-eprogram, --pinentry[=program]: Read passphrases using the system's pinentry program. By default Enchive uses the program named "pinentry".
-p, --pubkey file: Specifies the public key file to use for encryption.
-s, --seckey file: Specifies the secret key file to use for decryption.
--version: Print version information.
--help: Print a synopsis of the command line interface.

COMMANDS

Any unique prefix for a command is accepted. For example, the command a would mean archive.

keygen [OPTION]...: Generates a new keypair either from system entropy or a passphrase.

-d[N], --derive[=N]: Derives the secret key from a passphrase. The key will be derived from the passphrase using difficulty exponent N. Default is 29.
-e, --edit: Edits the protection passphrase on an existing key. This also regenerates the public key file from the secret key.
-f, --force: Overwrites any existing keypair without prompting.
-i, --fingerprint: Prints the public key fingerprint after generation or editing.
-k N, --iterations N: Sets the difficulty exponent for deriving the protection key from the protection key passphrase. Default is 25.
-r N, --repeats N: Number of repeated passphrase prompts when deriving a secret key. It is convenient to set this to zero when relying primarily on fingerprint verification. Alternatively, additional repeat prompts may aid in memorization. Default is 1.
-u, --plain: Do not use a protection key, and instead store the secret key unencrypted on the disk. Consider using the key agent instead of this option.

archive [-d|--delete] [INPUT [OUTPUT]]: Encrypts a single file for archival using only the public key. If no output filename is given, the output filename will be the input filename with a .enchive suffix. Except for --delete, the original file is untouched. If no filenames are given, encrypts standard input to standard output.

-d, --delete: Delete the original input file after success.

extract [-d|--delete] [INPUT [OUTPUT]]: Decrypt a single file from archival using the secret key. If no output filename is given, the output filename will be the input filename with the .enchive suffix removed. Without an output filename, it is an error for the input to lack this suffix. If no filenames are given, decrypt standard input to standard output.

-d, --delete: Delete the original input file after success.

fingerprint: Print the public key fingerprint to standard output.

ENVIRONMENT

TMPDIR: If $XDG_RUNTIME_DIR is unset, the directory in which to create the agent socket. Default is /tmp.
XDG_CONFIG_HOME: The directory under which keys will be created and read. Default is $HOME/.config.
XDG_RUNTIME_DIR: The directory in which to create the agent socket.

FILES

$XDG_CONFIG_HOME/enchive/enchive.pub: The file holding the public key used for encrypting files.
$XDG_CONFIG_HOME/enchive/enchive.sec: The file holding the secret key used for decrypting files.

EXAMPLES

enchive keygen --derive

Generate a new keypair from a passphrase prompt.

enchive archive -d mydata.tar.gz

Encrypt mydata.tar.gz to mydata.tar.gz.enchive and delete the unencrypted file.

enchive extract mydata.tar.gz.enchive

Decrypt mydata.tar.gz.enchive to mydata.tar.gz, preserving the original file.