pqf is the command-line wrapper over the PostQuantum.FileFormat library.
What this is.
pqfis a demonstration / dogfooding CLI for the PostQuantum.FileFormat library and the broader PostQuantum.* ecosystem. It exists so you can try the PQF container format, generate the right pair of identities, encrypt and decrypt real files, and cross-check against the reference test vectors and the Rust implementation. It is also useful as a readable reference for how to drive the library's public API.What this is NOT. It is not intended as a production library dependency. Other projects should depend on
PostQuantum.FileFormatdirectly — thepqftool's API surface (its commands, exit codes, output shape) is not a stability contract and may change between previews.EXPERIMENTAL preview; not externally audited; do not use to protect irreplaceable data.
pqf keygen --type encrypt --public-out recipient.pub.pem --private-out recipient.identity.jsonpqf keygen --type sign --public-out signer.pub.pem --private-out signer.identity.jsonpqf encrypt --in plain.bin --out file.pqf --recipient recipient.pub.pem [--recipient recipient2.pub.pem] [--signing-key signer.identity.json] [--chunk-size 65536]pqf decrypt --in file.pqf --out plain.out.bin --identity recipient.identity.json [--mode authenticated|streaming]pqf inspect --in file.pqf [--json]pqf fingerprint --public-key recipient.pub.pem
- Public keys are armored PEM files using labels from spec §7:
PQF PUBLIC KEYPQF SIGNING PUBLIC KEY
- Private identities are JSON files written by
pqf keygenand consumed bypqf encrypt/pqf decrypt.
0: success2: usage error3: I/O or permissions error4: key parse/format error5: cryptographic refusal (PqfRefusalReason)10: internal error
In streaming mode, post-hoc signature/footer failures return exit code 5 and
are reported on stderr with post-hoc-auth=true.