PostQuantum.FileEncryption.Tool 1.2.0

.NET 10.0 This package targets .NET 10.0. The package is compatible with this framework or higher.
There is a newer version of this package available.
See the version list below for details.

Requires NuGet 6.0.0 or higher.

dotnet tool install --global PostQuantum.FileEncryption.Tool --version 1.2.0
This package contains a .NET tool you can call from the shell/command line. 
dotnet new tool-manifest
                    


                            if you are setting up this repo
                        

                    

                
dotnet tool install --local PostQuantum.FileEncryption.Tool --version 1.2.0
This package contains a .NET tool you can call from the shell/command line. 
#tool dotnet:?package=PostQuantum.FileEncryption.Tool&version=1.2.0
                    


                    

                
nuke :add-package PostQuantum.FileEncryption.Tool --version 1.2.0

pqfe — file encryption from the command line

Encrypt and decrypt .pqfe containers without writing a line of C#. pqfe is the official command-line frontend for PostQuantum.FileEncryption: authenticated AES-256-GCM, PBKDF2-HMAC-SHA256 or Argon2id passphrase derivation, atomic output files, and fail-closed decryption — a wrong passphrase and a tampered file produce the same error and emit no plaintext.

dotnet tool install -g PostQuantum.FileEncryption.Tool

Requires the .NET 10 runtime or later.

Usage

pqfe encrypt secrets.db secrets.db.pqfe            # prompts for a passphrase (no echo)
pqfe decrypt secrets.db.pqfe secrets.db

For scripts and CI, read the passphrase from an environment variable instead of a prompt:

export PQFE_PASS='correct horse battery staple'
pqfe encrypt backup.tar backup.tar.pqfe --passphrase-env PQFE_PASS
pqfe decrypt backup.tar.pqfe backup.tar --passphrase-env PQFE_PASS

Options

Option Effect
--argon2id Derive the key with Argon2id (memory-hard) instead of PBKDF2-HMAC-SHA256. Decryption reads the KDF from the container header — no flag needed.
--passphrase-env VAR Read the passphrase from environment variable VAR instead of prompting.

Exit codes

Follow sysexits.h conventions so failures are scriptable: 0 ok, 64 usage, 65 data error (wrong passphrase or tampered/truncated ciphertext — deliberately indistinguishable), 66 missing input, 74 I/O error.

What it writes

Standard .pqfe v2 containers — the format is FROZEN for the 1.x line and pinned by published cross-implementation test vectors. Anything pqfe encrypts, the library (and any conforming implementation) can decrypt, and vice versa.

pqfe covers passphrase encryption. For public-key (recipient) encryption — hybrid X25519 + ML-KEM-768, multi-recipient — use the PostQuantum.FileEncryption.Hybrid library package.

Source

Lives in the main repository at samples/Pqfe.Cli, built and published by the same release pipeline as the library: deterministic build, CycloneDX SBOM, and SLSA-style build-provenance attestation on every release.

To God be the glory — 1 Corinthians 10:31.

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

Version Downloads Last Updated
1.4.1 481 6/13/2026
1.4.0 469 6/13/2026
1.3.0 479 6/13/2026
1.2.1 493 6/12/2026
1.2.0 470 6/12/2026
1.1.0 476 6/10/2026

1.1.0 — first published release of the pqfe command-line tool, packaged from the same source tree, release workflow, and supply-chain pipeline (SBOM, SLSA-style provenance attestation, deterministic build) as PostQuantum.FileEncryption 1.1.0. Bundles the library; the .pqfe v2 container format is FROZEN for the 1.x line.