Skip to main content

Crypto

The crypto command group lets you encrypt and decrypt content standalone — outside of sending a message. Useful for testing encryption, pre-encrypting payloads, or integrating with other tools.

The CLI always derives the encryption identity from the configured keypair using the wallet-derived Ed25519-to-X25519 algorithm. It does not manage custom registered Key account private material.


Packet Envelope Interaction

crypto encrypt encrypts one plaintext string. With --content, that plaintext is exactly the string you pass. With --text and/or --file, the CLI first builds a Packet envelope, then encrypts the encoded envelope string.

That means this command:

packet crypto encrypt --to <pubkey> \
--subject "Report" \
--text "See attached." \
--file ./report.pdf

encrypts a Packet envelope shaped like:

{
subject: "Report",
message: [
{ contentType: "text/plain", encoding: "utf8", content: "See attached." },
{ contentType: "application/pdf", encoding: "base64", content: "..." }
]
}

crypto decrypt does the reverse. It decrypts the encrypted JSON, parses the plaintext as a Packet envelope when possible, prints text parts as display text, and can save binary parts with --full-view <dir>.


crypto encrypt

Encrypt content for a specific recipient wallet.

packet crypto encrypt --to <pubkey> (--content <text> | --text <text> | --file <path>) [options]

Required:

FlagDescription
--to <pubkey>Target recipient's Solana wallet public key

Content input:

Exactly one input mode is required.

FlagDefaultDescription
--content <message>Exact plaintext to encrypt. Cannot be combined with --text or --file.
--text <message>repeatableAdd a text/plain Packet envelope part.
--file <path>repeatableAdd a file Packet envelope part.

--text and --file can be combined. They build one Packet envelope, so you can encrypt multiple text parts and files in one payload.

Options:

FlagDefaultDescription
--subject <subject>Optional Packet envelope subject for --text/--file input.
--dont-include-senderfalseExclude the sender from the reader list. The sender will not be able to decrypt.
--out <path>Write encrypted JSON to a file instead of printing to stdout.
--uploadfalseUpload the encrypted JSON to Irys and print the URL.

Output:

By default, the encrypted JSON envelope is printed to stdout:

{
"version": 1,
"algorithm": "x25519-xsalsa20-poly1305",
"nonce": "...",
"readers": [...],
"ciphertext": "..."
}

Examples:

# Encrypt a message for a recipient
packet crypto encrypt --to 3xK...abc --content "Secret message"

# Encrypt a multi-part Packet envelope and save output
packet crypto encrypt --to 3xK...abc \
--subject "Private report" \
--text "Notes are attached." \
--file ./report.pdf \
--out ./report.enc.json

# Encrypt and upload to Irys
packet crypto encrypt --to 3xK...abc --content "Secret" --upload

crypto decrypt

Decrypt Packet-encrypted content using the configured wallet's private key.

packet crypto decrypt (--text <json> | --file <path> | --url <url>) [--json]

Input (exactly one required):

FlagDescription
--text <json>Encrypted JSON body as a string
--file <path>File containing the encrypted JSON
--url <url>URL pointing to the encrypted JSON

Options:

FlagDefaultDescription
--full-view <dir>Save binary Packet envelope parts to a target folder.
--jsonfalsePrint structured JSON output instead of display text.

Examples:

# Decrypt from a file
packet crypto decrypt --file ./doc.enc.json

# Decrypt from a URL
packet crypto decrypt --url https://gateway.irys.xyz/<cid>

# Decrypt and get JSON output
packet crypto decrypt --file ./doc.enc.json --json

Notes

  • The CLI uses the wallet-derived Ed25519-to-X25519 algorithm: the Ed25519 signing key is converted to an X25519 key deterministically. This means any wallet can encrypt/decrypt without a separate key registration step.
  • The sender is included as a reader by default, so you can decrypt messages you sent.
  • For CLI-only wallets, you usually should not create a registered Key account. If a wallet has a registered Key account, senders that resolve it encrypt to that registered public key and the matching private encryption identity is required to decrypt.
  • For browser UI wallets that use password/signature-derived encryption, avoid reusing the same wallet in CLI unless you understand the key-mode conflict.