sare-cli
| Crates.io | sare-cli |
| lib.rs | sare-cli |
| version | 0.1.1 |
| created_at | 2025-09-11 12:07:51.423402+00 |
| updated_at | 2025-09-11 12:22:33.272896+00 |
| description | Command-line interface for the SARE encryption standard. |
| homepage | https://sareproject.github.io |
| repository | https://github.com/SareProject/sare |
| max_upload_size | |
| id | 1833750 |
| size | 113,691 |
Zola Gonano (zolagonano)
documentation
README
SARE CLI
THIS TOOL IS IN BETA. IT IS QUICKLY EVOLVING AND HAS NOT BEEN FULLY AUDITED FOR SECURITY.
A command-line tool to stay safe in the quantum age. Built on top of sare-lib, SARE CLI allows users to encrypt, decrypt, sign, and manage cryptographic keys and recipients using a standardized and quantum-safe hybrid approach.
Table of Contents
Overview
SARE CLI is built on top of of sare-lib with some additions like recipients/keys management database. It currently supports:
-
Hybrid encryption and decryption (symmetric and asymmetric)
-
Detached digital signatures and verification
-
Master key generation, inspection, and revocation
-
Recipient management
-
KDF-based symmetric encryption options
Installation
Installation from source:
You can build from source:
git clone https://github.com/SareProject/sare
cd sare
cargo build --release
The resulting binary will be located at:
target/release/sare-cli
Installation using cargo
You can simply install using cargo install:
cargo install sare-cli
Usage
The CLI follows this structure:
sare-cli <command> [subcommand] [options]
Core Commands
-
masterkey– Generate, list, remove, or inspect master keys -
recipient– Add, remove, or list recipients -
signature– Generate or verify digital signatures -
encrypt– Symmetric or asymmetric file encryption -
decrypt– Symmetric or asymmetric file decryption -
revocation– Generate, list, or broadcast revocation certificates
Use sare-cli <command> -h to see available subcommands and options.
Examples
Generate a Master Key
sare-cli masterkey generate --hybrid-kem-algorithm X25519_KYBER768 --hybrid-sign-algorithm ED25519_DILITHIUM3
If you don't provide the HybridKEM and HybridSign algorithms, the defaults will be used.
Also, on key generation, two certificates will be generated for you: one revocation certificate, which you can share to prove that your key is not being used either because it’s compromised or you lost access to it for any reason; and the validation certificate, attached to your public key. The validation certificate is used to prove that you own all the keys since signing and encryption keys are separate, and it contains your issuer ID (like your name and email address) and an expiry date so users won't accidentally encrypt messages with your expired key.
Encrypt a File Asymmetrically
Before encrypting to someone, you should add them as a recipient:
sare-cli recipient add recipient.pem
Then:
sare-cli encrypt asymmetric input.txt output.enc --recipient RECIPIENT_ID --masterkey-id MASTER_KEY_ID
If you don't provide MASTER_KEY_ID and/or RECIPIENT_ID, it will show you the list of recipients / master keys.
Encrypt a File Symmetrically
sare-cli encrypt symmetric input.txt output.enc
Decrypt a File
sare-cli decrypt input.enc output.txt
sare-cli will detect whether the file is encrypted using your public key (asymmetrically) or using a password (symmetrically) and will either ask for your master key for decryption or a password based on that.
Generate a Signature
sare-cli signature generate input.txt input.sig --masterkey-id MASTER_KEY_ID
Signatures will be detached, meaning the signature file does not include the content of the file. For verification, you'll need both the original file and the signature.
Verify a Signature
sare-cli signature verify input.sig input.txt
Add a Recipient
sare-cli recipient add recipient.pem
List Recipients
sare-cli recipient list
Generate a Revocation Certificate
sare-cli revocation new --masterkey-id MASTER_KEY_ID
Note: broadcasting revocations is not implemented yet since it requires the implementation of a keyserver first.
Security Notice
SARE is built to use audited and standard cryptographic algorithms at the low-level encryption, signing, and encapsulation layers.
However, SARE itself still needs to be audited to be considered secure. Please use it at your own risk and do not use it for critical use cases.
If you've found security vulnerabilities, please follow our security policy for reporting. Do not report them in the GitHub issues or announce them publicly until we have released a fix for the issue: https://github.com/SareProject/sare/security/policy
Support
If you want to help SARE grow, the best way is financially. Please check out our donation page: https://sareproject.github.com/docs/support
But a share on social media, a star on our GitHub repo, or even a simple supporting message is enough motivation for us to keep going.
License
SARE CLI is released under a combination of the MIT License and the Apache License.