{"id":13576790,"url":"https://github.com/life4/enc","last_synced_at":"2025-04-05T08:33:14.907Z","repository":{"id":65029389,"uuid":"522870936","full_name":"life4/enc","owner":"life4","description":"🔑🔒 A modern and friendly CLI alternative to GnuPG: generate and download keys, encrypt, decrypt, and sign text and files, and more.","archived":false,"fork":false,"pushed_at":"2025-04-03T09:22:13.000Z","size":99,"stargazers_count":505,"open_issues_count":1,"forks_count":18,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-04-03T09:32:47.953Z","etag":null,"topics":["cli","cryptography","decryption","encryption","gnupg","go","golang","gpg","keybase","pgp","rsa-cryptography","security","signature"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/life4.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-09T08:47:10.000Z","updated_at":"2025-04-03T08:35:47.000Z","dependencies_parsed_at":"2024-01-09T11:50:07.453Z","dependency_job_id":null,"html_url":"https://github.com/life4/enc","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/life4%2Fenc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/life4%2Fenc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/life4%2Fenc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/life4%2Fenc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/life4","download_url":"https://codeload.github.com/life4/enc/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247312065,"owners_count":20918340,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","cryptography","decryption","encryption","gnupg","go","golang","gpg","keybase","pgp","rsa-cryptography","security","signature"],"created_at":"2024-08-01T15:01:14.187Z","updated_at":"2025-04-05T08:33:14.862Z","avatar_url":"https://github.com/life4.png","language":"Go","readme":"\u003cdiv align=\"center\"\u003e\n\u003cpicture\u003e\n  \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"./logo-dark.svg\" style=\"max-width: 50%\"\u003e\n  \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"./logo-light.svg\" style=\"max-width: 50%\"\u003e\n  \u003cimg alt=\"enc logo\" src=\"./logo-light.svg\" style=\"max-width: 50%\"\u003e\n\u003c/picture\u003e\n    \u003ch1\u003eenc\u003c/h1\u003e\n    \u003cp\u003e\u003cb\u003ea modern and friendly alternative to GnuPG\u003c/b\u003e\u003c/p\u003e\n\u003c/div\u003e\n\n# What is enc?\n\nEnc is a CLI tool for encryption, a modern and friendly alternative to [GnuPG](https://gnupg.org/). It is easy to use, secure by default and can encrypt and decrypt files using password or encryption keys, manage and download keys, and sign data. Our goal was to make encryption available to all engineers without the need to learn a lot of new words, concepts, and commands. It is the most beginner-friendly CLI tool for encryption, and keeping it that way is our top priority.\n\n## Features\n\n+ **Easy installation**. Grab the binary, and you're ready to go.\n+ **Friendly CLI**. We use well-isolated subcommands to group flags. There are no flags that can't be used together or must be used in a very specific combination.\n+ **Well-documented**.\n+ **Reliable**. Under the hood, enc uses [gopenpgp](https://github.com/ProtonMail/gopenpgp) library. The same library that powers ProtonMail.\n+ **UNIX-way**. Enc does only one job and does it well. And it plays nicely with any other tools. It reads all possible input from stdin and writes all possible output into stdout.\n+ **CI-friendly**. There is no interactive prompt. All input is strictly stdin or CLI flags.\n\nA few drawbacks to keep in mind:\n\n+ Not all encryption algorithms supported by GnuPG are supported by enc.\n+ You'll still need to import keys into GnuPG to use tools that are integrated with GnuPG, like git.\n\n## Install\n\nIf you have Go:\n\n```bash\ngo install github.com/life4/enc@latest\n```\n\nIf you don't have Go, [grab the binary for your OS](https://github.com/life4/enc/releases).\n\nOn Linux (and OS X, probably) that's how you can make the executable globally available:\n\n1. Extract the binary: `tar -xf enc_*.tar.gz`\n1. Make it executable: `chmod +x enc`\n1. Place it in your PATH: `mv enc ~/.local/bin`\n1. Check if it works: `enc version`\n1. If it says \"command not found\", run `echo $PATH` and check if `~/.local/bin` is there. If not, add into your `~/.bashrc` the following: `export PATH=$PATH:~/.local/bin`\n\n## Encrypt\n\n\"To encrypt something\" means making it unreadable for someone without a secret. Only the one who knows the secret can read an encrypted message. Let's encrypt a text message using a password:\n\n```bash\necho 'my secret message' | enc encrypt --password 'very secret password' \u003e encrypted.bin\n```\n\n## Decrypt\n\n\"To decrypt something\" means to restore the encrypted message. If you look at the content of `encrypted.bin` from the previous step, you'll see that it's some binary gibberish. Let's decrypt that. And for that, you need to know the password that was used to encrypt the message.\n\n```bash\ncat encrypted.bin | enc decrypt --password 'very secret password'\n```\n\nAnd you should see the \"my secret message\" output. And if you pass an incorrect password, you'll see a \"wrong password or malformed message\" error instead.\n\n## A note on secrets and shell history\n\nIt's not safe to just plainly put your passwords like this as an argument to a command. Or to use `echo` to write a secret message. All your input will be stored in the history of your terminal. For example, for bash, it will be saved in `~/.bash_history`. There are a few helpful tips on how to avoid that:\n\n1. Start the command with a space. Then it will not be stored in the bash history. It should work for other shells as well.\n1. Use [pass](https://www.passwordstore.org/) or another password manager: `enc encrypt --password=$(pass path/to/password)`.\n1. Use `cat` without arguments as input: `enc encrypt --password=$(cat)`. It will read whatever you type in the terminal until you press `ctrl+d`.\n\n## Armor/dearmor the message\n\nSometimes, you need to send the encrypted message as text, in a place where binary input isn't supported. For example, in a chat. For that, enc provides \"armoring\" that turns any binary input into text:\n\n```bash\ncat encrypted.bin | enc armor \u003e encrypted.txt\n```\n\nNow, inside encrypted.txt you'll see something like this:\n\n```text\n-----BEGIN PGP MESSAGE-----\nVersion: enc 0.1.0\nComment: https://github.com/life4/enc\n\nwy4ECQMIT0iy0Z6UgXHg6Zt9gwmLNWJ4Jx0aVE7K1CuFT03VoP7dmtAknap3+ioR\n0kMB8dNyuHDE5mO27fu0GCJih60VSWcTbcFsSwanO8r462A0itZ68sDG5Tyv1b9C\ny6LeJYJwgyGi8wemlqZVqdStggNM\n=ArNH\n-----END PGP MESSAGE-----\n```\n\nAnd to decrypt the armored message, you should dearmor it back into binary:\n\n```bash\ncat encrypted.txt | enc dearmor | enc decrypt --password 'very secret password'\n```\n\n**Tip**: you can omit `enc dearmor`. Enc will automatically detect if the input is armored and dearmor it.\n\n## Generate a key\n\nPasswords aren't that good for encrypting things. It's helpful when you want to send an encrypted file and then tell your friend the secret by phone (or shout it to him in the next room), but when you can get a bit fancier, it's better to use a secret key. A key is a file that can be used to encrypt or decrypt messages. It's longer (and so safer) than a typical password and has one more feature we'll cover later. For now, let's just generate a new key:\n\n```bash\nenc key generate \u003e private.key\n```\n\n**Tip**: make sure to limit permissions for the keys you store locally (`chmod 600 *.key`).\n\nThe key has quite a bit of information inside: your name and email, when it was generated, and expiration date. Of course, you can have a look yourself:\n\n```bash\ncat private.key | enc key info\n```\n\n## Encrypt/decrypt with a key\n\nEncrypting the message using the key is quite similar to encrypting it with a password. Just pass the path to the key to use:\n\n```bash\necho 'hello world' | enc encrypt --key private.key \u003e encrypted.bin\n```\n\nAnd similarly, decrypt:\n\n```bash\ncat encrypted.bin | enc decrypt --key private.key\n```\n\n## Use public key (generate and encrypt)\n\nThe \"one more feature\" of keys we mentioned before is that your private key actually contains 2 keys:\n\n1. Public key is used to encrypt messages.\n1. Private key is used to decrypt messages encrypted with the public key.\n\nThe idea is that you can make your public available for everyone on your website, chats, etc. Anyone can take that public key, use it to encrypt a message, and send the encrypted message to you. And despite the public key being public, nobody but you can decrypt the message. Neat!\n\nExtract the public key from the private key:\n\n```bash\ncat private.key | enc key public \u003e public.key\n```\n\nEncrypt the message with the public key:\n\n```bash\necho 'hello world' | enc encrypt --key public.key \u003e encrypted.bin\n```\n\nThe message can be decrypted only using the private key:\n\n```bash\n$ cat encrypted.bin | enc decrypt --key private.key\nhello world\n$ cat encrypted.bin | enc decrypt --key public.key\nError: public key cannot be used to decrypt\n```\n\n**Tip**: keys can be armored using `enc key armor`.\n\n## Protect private key with a password\n\nIf you use a private key to protect your files from evil hackers, the whole effort is in vain if the key lies in plain sight next to the files. It's like locking your door and then leaving the key in the keyhole. The solution is to encrypt (\"lock\") the private key itself with a password.\n\nLock the key with a password:\n\n```bash\ncat private.key | enc key lock --password 'my secret pass' \u003e locked.key\n```\n\nYou can always unlock it back if you change your mind:\n\n```bash\ncat locked.key | enc key unlock --password 'my secret pass' \u003e unlocked.key\n```\n\n**Tip**: you can chain `enc key unlock` and `enc key lock` to change the password for the key. It's good to update your passwords time-to-time.\n\nTo use a locked key when using `encrypt` or `decrypt`, pass both `--key` and `--password` at the same time:\n\n```bash\necho 'hello world' | enc encrypt --key locked.key --password 'my secret pass' \u003e encrypted.bin\ncat encrypted.bin | enc decrypt --key locked.key --password 'my secret pass'\n```\n\n## Sign\n\nFrom the math perspective, there is no difference between private and public keys, they both can be used to encrypt messages that only can de be decrypted by the other. Most of the security tools, including enc, artificially forbid using the public key for decrypting messages because that's not how it should be used (encrypting messages that anyone can decrypt is pointless). But what if we bypass that limitation? Then we could calculate the hash from the message, encrypt it using our private key, and publish it alongside the message itself. Then anyone can take this \"signature\", decrypt it using the public key, and check if the hash matches the message. It will match only if the message is not altered by anyone and the signature was encrypted using your private key. In other words, anyone can validate that the message was sent by you and wasn't altered. This is what signing is.\n\nCreate a new signature:\n\n```bash\ncat encrypted.bin | enc sig create --key private.key \u003e message.sig\n```\n\n**Tip**: signatures can be armored using `enc sig armor`.\n\nThe signature will contain the ID of the key that was used to generate it:\n\n```bash\n$ cat message.sig | enc sig id\n91c1be98e13a8621\n$ cat private.key | enc key info | jq .id\n\"91c1be98e13a8621\"\n```\n\n## Verify signature\n\nTo verify the signature, you'll need the signed message, the signature, and the public key:\n\n```bash\ncat encrypted.bin | enc sig verify --key public.key --signature message.sig\n```\n\n## Download public key\n\nMany services can host the public GPG keys of their users. And enc can search these services and download the key for you.\n\nSupported providers:\n\n1. `github`: get keys from [github.com](https://github.com/) by username.\n1. `gitlab`: get keys from [gitlab.com](https://gitlab.com/) (or a self-hosted GitLab instance) by username.\n1. `hkp`: get a key from a public GPG key server (by default, [keyserver.ubuntu.com](https://keyserver.ubuntu.com/)) by its fingerprint. Downloading keys by author's email is not supported by design. HKP servers do not verify user emails, so anyone can upload a key with any email address.\n1. `keybase`: get keys from [keybase.io](https://keybase.io/) by username.\n1. `protonmail`: get a key from [proton.me](https://proton.me/mail) by email address.\n\nIn the list above, \"keys\" means that the provider can return multiple keys, not just one.\n\nDownload a key of a proton mail user by their email:\n\n```bash\nenc remote get --provider=protonmail git@orsinium.dev\n```\n\nSearch all providers and download a key by author's username:\n\n```bash\nenc remote get orsinium\n```\n\n## Publish public key\n\nTo publish a key in a supported provider, us the official tools provided by the provider:\n\n+ Upload to github.com using [gh](https://cli.github.com/): `gh gpg-key add public.key`.\n+ Upload to gitlab.com using [glab](https://gitlab.com/gitlab-org/cli): [not supported yet](https://gitlab.com/gitlab-org/cli/-/issues/1052).\n+ Upload to keybase.io using [keybase](https://book.keybase.io/docs/cli): `keybase pgp import -i private.key`.\n\n[![xkcd: Public Key](https://imgs.xkcd.com/comics/public_key_2x.png)](https://xkcd.com/1553/)\n\n## Experimental: work with GnuPG keyring\n\nMany great tools have integration with GnuPG. To name a few, git, some email clients, [pass](https://www.passwordstore.org/). Wouldn't it be great to integrate them with enc too? Well, that's not that easy. Many tools don't allow specifying a different path to GnuPG binary to use, so all we are left with is to integrate enc with GnuPG directly: import, export, and list keys. This is what this section is about. How you can work with GnuPG \"keyring\": the internal collection of keys that GnuPG knows about.\n\nSo far, we managed to only provide a few commands for public keys' keyring. The private keyring is a bit trickier, different versions of GnuPG store it differently.\n\nList all keys that GnuPG knows about:\n\n```bash\ncat ~/.gnupg/pubring.gpg | enc keys list\n```\n\nRed keys are expired or revoked, green keys are locked (password-protected), and yellow keys aren't locked.\n\nGet a key from the list (by ID or email):\n\n```bash\ncat ~/.gnupg/pubring.gpg | enc keys get 0123456789abcdef \u003e public.key\ncat ~/.gnupg/pubring.gpg | enc keys get mail@example.com \u003e public.key\n```\n\nAdd a key into the GnuPG keyring:\n\n```bash\ngpg --import private.key\n```\n\n## Type commands faster\n\n1. Under the hood, enc uses [cobra](https://github.com/spf13/cobra) Go library for describing CLI. And [cobra provides shell completion support](https://github.com/spf13/cobra/blob/main/shell_completions.md). If you run `enc completion bash -h` (or another shell name you use instead of `bash`), it will show you how you can activate autocomplete for your shell depending on your OS.\n1. Every command provides multiple aliases and shortcuts. For example, `enc key generate` can be abbreviated to `enc k g`. You can call the command with `-h` (`enc key generate -h`) to see what aliases it has.\n1. Most of the flags can also be abbreviated to the first letter. For example, you can use `-p` instead of `--password` in all commands.\n","funding_links":[],"categories":["Go","cli","\u003ca name=\"security\"\u003e\u003c/a\u003eSecurity and encryption"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flife4%2Fenc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flife4%2Fenc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flife4%2Fenc/lists"}