How to Encrypt a File on the Command Line

Jon McLachlan
3 min readApr 7, 2021

Discover the easiest command line tool to encrypt and decrypt a file or stdin

(1) Install this CLI:

# Install peacemakr
brew tap peacemakr-io/peacemakr
brew install peacemakr

(2) Authenticate to fetch your encryption keys:

# Authenticate to Peacemakr's Demo Org for access to demo keys

By the way, if you don’t want to use a demo account, then signup for a free account to use your own keys.

(3) Encrypt your file:

peacemakr -encrypt --inputFileName to-encrypt.txt --outputFileName encrypted.txt

Decrypt your file:

peacemakr -decrypt --inputFileName encrypted.txt --outputFileName decrypted.txt

Or even Encrypt and Decrypt with standard input:

echo "Hello Encrypted World" | peacemakr -encrypt

Wait a Second. What is Peacemakr?

Ok. But what key was just used to encrypt?

If you haven’t done so already, you need to signup for a free account to use your own keys, or else you’re just using the publicly availabledemo-keys which are not secure.

Signing up is free and quick:

Once you sign in, you’ll see your Security Control Panel. TheCrypto Use Domains contains the keys you’re using to actually encrypt and decrypt. Anyone with access to your APIKey will be able to encrypt or decrypt with your keys. You can also share your Crypto Use Domains with other Peacemakr Users by adding them as Collaborators .

Peacemakr helps you manage your keys automatically.

To dig in a little more, all keys come from Key Derivers. When your CLI needed to encrypt, it asked your Key Deriver for a valid key. Your Key Deriver wrapped it with your CLI’s public key, signed it, and delivered it to your CLI. Your CLI then used the security policies to decide how to use the key to encrypt. In this case, ChaCha20-Poly1305 was used to encrypt and sign the file.

The security policies guided the Key Deriver and CLI on which key to use and how to use it. This frees you up from having to hard-coding decisions like algorithm type, key length, key origin, IV data, AAD data, Tag data directly into your encryption use.

Key Derivers are plug-and-play components and can be run anywhere. For example, if you need your keys to come from a secure on-prem data center, you can run a Key Deriver there. But to start, everyone gets a complimentary Key Deriver in the cloud.

Sounds Complex? It is.

Encrypting data is difficult and dangerous without the proper controls in place. It’s easy to lose track of keys, hard-code configurations, or even rotate keys in a timely manner. There are some great reads out there to help navigate this space.

Luckily, Peacemakr solves those complex key distribution and key lifecycle management problems and exposes a simple interface for the rest of us to just encrypt and decrypt our data.

Can I encrypt and decrypt offline?

Yes, as long as your client already has downloaded at least one valid key from your Key Derivers.

Is there an SDK to programmatically encrypt and decrypt data?

Yes, as of 2021, Peacemakr support 6 SDKs including,

But you should checkout out GitHub for the complete list.

Free Tier? What’s the catch?

No catch, you can use the Free Tier forever. You do have to stay within the 1,000 API calls/month limit, but most startups and small businesses can get away with those that and never worry about paying.

Where can I learn more?

Visit or say hi.



Jon McLachlan

Founder of YSecurity. Ex-Apple, Ex-Robinhood, Ex-PureStorage. Lives in Oakland. Athlete.