Skip to content

Command Line Interface: encryption for data sharing

To encrypt and upload files via command line, please check this tutorial illustrating how to use the crpt4GH tool to upload files in Allas (visible from SD Connect).

Below more information about the crypt4GH CLI:

For documentation and more information, you can check the Crypt4GH Encryption Utility page.

In this example, we first generate your key pair (a password-protected private key and a public key that can be shared with collaborators). Next, we encrypt a file with public keys of two different collaborators (research group A and research group B).

Python 3.6+ is required to use the Crypt4GH encryption utility. If you need help installing Python, please follow these instructions.

  1. Install the Crypt4GH encryption CLI tool

    You can install Crypt4GH directly with pip tool:

    pip install crypt4gh     

    or, if you prefer the latest sources from GitHub:

    pip install -r crypt4gh/requirements.txt
    pip install ./crypt4gh

    or even:

    pip install git+

    The usual -h flag shows you the different options that the tool accepts:

    $ crypt4gh -h
    Utility for the cryptographic GA4GH standard, reading from stdin and outputting to stdout.
       {PROG} [-hv] [--log <file>] encrypt [--sk <path>] --recipient_pk <path> [--recipient_pk <path>]... [--range <start-end>]
       {PROG} [-hv] [--log <file>] decrypt [--sk <path>] [--sender_pk <path>] [--range <start-end>]
       {PROG} [-hv] [--log <file>] rearrange [--sk <path>] --range <start-end>
       {PROG} [-hv] [--log <file>] reencrypt [--sk <path>] --recipient_pk <path> [--recipient_pk <path>]... [--trim]
       -h, --help             Prints this help and exit
       -v, --version          Prints the version and exits
       --log <file>           Path to the logger file (in YML format)
       --sk <keyfile>         Curve25519-based Private key.
                            When encrypting, if neither the private key nor C4GH_SECRET_KEY are specified, we generate a new key
       --recipient_pk <path>  Recipient's Curve25519-based Public key
       --sender_pk <path>     Peer's Curve25519-based Public key to verify provenance (akin to signature)
       --range <start-end>    Byte-range either as  <start-end> or just <start> (Start included, End excluded)
       -t, --trim             Keep only header packets that you can decrypt
    Environment variables:
       C4GH_LOG         If defined, it will be used as the default logger
       C4GH_SECRET_KEY  If defined, it will be used as the default secret key (ie --sk ${C4GH_SECRET_KEY})

    You may notice that crypt4gh uses --sk option for the private key. This might seem odd but apparently, crypt4gh uses term secure key for private key, hence sk, and consequently pk refers to public key instead of the private key.

  2. Generate your public-private key pair

    You use crypt4gh-keygen command to create your private and public keys:

    $ crypt4gh-keygen --sk mykey.sec --pk
    Generating public/private Crypt4GH key pair.
    Enter passphrase for meykey.sec (empty for no passphrase): 
    Enter passphrase for mykey.sec (again): 
    Your private key has been saved in mykey.sec
    Your public key has been saved in

    where --sk mykey.sec is your private (secret, sk) key and --pk is your public key (pk). The tool will ask you to enter a password (passphrase) for your private key. For security reasons, the password is not shown when you type it, so the tool will ask you to enter it a second time to make sure you made no typing errors (or, you make the same errors twice). Please, use a strong password!


    If you lose or forget your private key, or the password to it, you will be unable to decrypt the files. Do not share your private key or your password.


    You need to create your keys only once and use them for all your encryption needs, but you can of course, choose to generate separate keys for encryption as you wish.

  3. Encrypt a file

    To encrypt files you will need the public keys of the recipients of the data. In this example we are sharing the data with two recipients: yourself and research group A. Your own public key ( was created in the previous step, and the public key of research group A ( we have received somehow (e.g. via email). To encrypt a file you use crypt4gh encrypt command:

    $ crypt4gh encrypt --recipient_pk --recipient_pk <dog.jpg >dog.jpg.c4gh

    The crypt4gh command uses only standard input (stdin) and standard output (stdout) so you must use shell redirections: < denotes an input file and > and denotes an output file, hence <dog.jpg reads in a file called dog.jpg and >dog.jpg.c4gh writes out an encrypted file named dog.jpg.c4gh.

  4. Decrypt a file

    To decrypt a file you will need a private key which corresponds to one of the public keys used in encryption phase. Let's assume in our example that the research group A is decrypting a file you've sent them. To decrypt a file they use crypt4gh decrypt command:

    crypt4gh decrypt --sk groupA.sec <dog.jpg.c4gh >dog.jpg
    Passphrase for groupA.sec: 

    where --sk groupA.sec is a corresponding private key to one of the public keys used in the encryption. The crypt4gh command uses only standard input (stdin) and standard output (stdout) so you must use shell redirections: < denotes an input file and > and denotes an output file, hence <dog.jpg.c4gh reads in an encrypted file called dog.jpg.c4gh and >dog.jpg writes out a decrypted file named dog.jpg.

    The command will ask the user to enter the password (passphrase) of your private key. For security reasons the password is not displayed when you type it.


    In case you are decrypting the file in SD Desktop and the CSC Sensitive Data public key has been used in encryption, decryption will be done automatically, and you do not need to specify any decryption keys.

    If you need to decrypt a large number of files, please check the tutorial Decrypting all files in a directory.

Last update: May 16, 2024