Documentation

Complete CLI reference for QNSQY. Commands, options, and usage examples.

Binary Name

All tiers use a single binary:

qnsqy Unified binary for all tiers — Features unlock based on license

Encrypted files use the .qs extension. Command availability depends on your active license tier.

Global Options

These options are available for all commands:

-h, --help Print help information
-V, --version Print version information
--require-sandbox-enforced Exit if OS sandbox (Landlock/Pledge) is unavailable

Quick Start

# Encrypt a file
$ qnsqy encrypt -i secret.pdf
# Output: secret.pdf.qs

# Decrypt a file
$ qnsqy decrypt -i secret.pdf.qs
# Output: secret.pdf

# Securely delete original
$ qnsqy shred secret.pdf
# File overwritten and deleted

Commands by Tier

Command availability depends on your license tier:

Command Free Pro Enterprise
encrypt
decrypt
shred
version
keygen
key-import
key-export
audit
sign
verify
rekey

Command Reference

encrypt All tiers

Encrypts a file using hybrid ML-KEM + X25519 key encapsulation and AES-256-GCM or XChaCha20-Poly1305 authenticated encryption. Password is derived using Argon2id.

qnsqy encrypt -i <input> [-o <output>] [options]
-i, --input <FILE> Input file to encrypt (required)
-o, --output <FILE> Output file (default: input.qs)
-z, --compress Enable zstd compression before encryption
-f, --force Overwrite existing output file
--algorithm <ALG> aes-256-gcm (default) or xchacha20-poly1305
--argon2-memory <KB> Argon2id memory parameter in KB
--argon2-iterations <N> Argon2id time/iterations parameter
--argon2-parallelism <N> Argon2id parallelism parameter
decrypt All tiers

Decrypts a .qs file. Automatically verifies BLAKE3 integrity. Fails if file has been tampered with.

qnsqy decrypt -i <input> [-o <output>] [-f]
-i, --input <FILE> Input .qs file to decrypt (required)
-o, --output <FILE> Output file (default: removes .qs extension)
-f, --force Overwrite existing output file
shred All tiers

Securely deletes a file by overwriting it multiple times before removal. Makes forensic recovery extremely difficult.

qnsqy shred <FILE> [-p <passes>] [-f]
<FILE> File to securely delete (required)
-p, --passes <N> Number of overwrite passes (default: 3)
-f, --force Skip confirmation prompt
version All tiers

Displays version info, active tier, supported algorithms, and post-quantum readiness status.

qnsqy version
keygen Pro+

Generates a new ML-DSA (Dilithium) signing keypair. Creates both public (.pub) and private key files.

qnsqy keygen -o <name> [--algorithm <alg>]
-o, --output <NAME> Base name for key files (required)
--algorithm <ALG> ml-dsa-44, ml-dsa-65, or ml-dsa-87 (default)

ML-DSA-44 = NIST Level 2, ML-DSA-65 = Level 3, ML-DSA-87 = Level 5

key-import Pro+

Imports a public key file into the local keyring for signature verification.

qnsqy key-import -f <file> -n <name>
-f, --file <FILE> Path to public key file (required)
-n, --name <NAME> Friendly name for the key (required)
key-export Pro+

Exports your public key to a file for sharing with others.

qnsqy key-export -f <keyfile> -o <output>
-f, --file <FILE> Your public key file (required)
-o, --output <FILE> Output path for exported key (required)
audit Pro+

View the local operation audit log. Shows all encrypt, decrypt, sign, and verify operations with timestamps.

qnsqy audit [--security-only] [--since <date>]
--security-only Show only security-relevant events (failures, tampering)
--since <DATE> Filter events from date (YYYY-MM-DD)
sign Enterprise

Signs a file using your ML-DSA private key. Creates a detached .sig signature file.

qnsqy sign -i <file> -k <key> [-o <output>]
-i, --input <FILE> File to sign (required)
-k, --key <FILE> Private key file (required)
-o, --output <FILE> Output signature file (default: input.sig)
verify Enterprise

Verifies a detached signature against a file using the signer's public key.

qnsqy verify -i <file> -s <signature> -k <pubkey>
-i, --input <FILE> Original file to verify (required)
-s, --signature <FILE> Signature file (required)
-k, --key <FILE> Signer's public key (required)
rekey Enterprise

Changes the password on an encrypted file without re-encrypting the entire file. Instant operation regardless of file size.

qnsqy rekey -f <FILE>
-f, --file <FILE> Encrypted .qs file to rekey (required)

Usage Examples

Basic Encryption Workflow

# Encrypt a document
$ qnsqy encrypt -i contract.pdf
Enter password: ********
Confirm password: ********
✓ Encrypted: contract.pdf.qs

# Securely delete the original
$ qnsqy shred contract.pdf
⚠ This will permanently destroy: contract.pdf
Confirm? [y/N]: y
✓ Securely deleted: contract.pdf

# Later: decrypt when needed
$ qnsqy decrypt -i contract.pdf.qs
Enter password: ********
✓ Decrypted: contract.pdf

Encrypting with Compression

# Large text-based files compress well with zstd
$ qnsqy encrypt -i database.sql -z
Enter password: ********
Confirm password: ********
⟳ Compressing with zstd...
⟳ Encrypting with AES-256-GCM...
✓ Encrypted: database.sql.qs

Key Management (Pro+)

# Generate a signing keypair (ML-DSA-87 = NIST Level 5)
$ qnsqy keygen -o mykey --algorithm ml-dsa-87
⟳ Generating ML-DSA-87 keypair...
✓ Private key: mykey
✓ Public key: mykey.pub

# Export public key to share
$ qnsqy key-export -f mykey.pub -o share-with-team.pub

# Import a colleague's public key
$ qnsqy key-import -f colleague.pub -n "Alice"
✓ Imported: Alice (ML-DSA-87)

Signing & Verification (Enterprise)

# Sign a release artifact
$ qnsqy sign -i release.tar.gz -k mykey
Enter password: ********
✓ Signed: release.tar.gz.sig

# Verify a signed file
$ qnsqy verify -i release.tar.gz -s release.tar.gz.sig -k author.pub
✓ Signature valid (ML-DSA-87)

Custom Argon2 Parameters (Enterprise)

# Maximum security: 1GB memory, 10 iterations
$ qnsqy encrypt -i secrets.tar \
    --argon2-memory 1048576 \
    --argon2-iterations 10 \
    --argon2-parallelism 8

# Use XChaCha20-Poly1305 cipher (available on all tiers)
$ qnsqy encrypt -i data.bin --algorithm xchacha20-poly1305

# Change password without re-encryption (Enterprise only)
$ qnsqy rekey -f secrets.tar.qs
Enter current password: ********
Enter new password: ********
Confirm new password: ********
✓ Password changed.

View Audit Log (Pro+)

# View all operations
$ qnsqy audit
2025-01-15 09:23:41  ENCRYPT  contract.pdf
2025-01-15 09:24:02  SHRED    contract.pdf
2025-01-15 14:30:11  DECRYPT  contract.pdf.qs

# View only security events from last week
$ qnsqy audit --security-only --since 2025-01-08

Argon2id Tier Defaults

Password-based key derivation uses Argon2id with tier-specific defaults:

Parameter Free Pro Enterprise
Memory 128 MB 256 MB 512 MB (configurable)
Iterations 3 4 6 (configurable)
Parallelism 4 4 8 (configurable)

Enterprise users can override these using --argon2-memory, --argon2-iterations, and --argon2-parallelism flags.

File Size Limits

Maximum file size varies by tier:

Tier Max File Size
Free 1 GB
Pro 10 GB
Enterprise Unlimited

File Format

Encrypted files use the .qs extension. The format includes:

  • Format version identifier (v6.0)
  • Argon2id parameters (salt, memory, iterations, parallelism)
  • Hybrid ML-KEM-1024 + X25519 encapsulated key
  • AES-256-GCM or XChaCha20-Poly1305 nonce
  • Encrypted data with AEAD authentication tag
  • BLAKE3 integrity hash

Files encrypted with any tier can be decrypted by any other tier. The format is forward-compatible.

Common Error Messages

Invalid password Wrong password entered. Re-try with correct password.
BLAKE3 integrity check failed File has been modified or corrupted. Cannot decrypt.
File too large for tier File exceeds your tier's limit (Free: 1GB, Pro: 10GB). Upgrade for larger files.
Output file exists Use -f flag to overwrite, or specify different output path.
Unknown file format File is not a valid .qs encrypted file.
Command not available in tier This command requires Pro or Enterprise tier. Run qnsqy version to see your tier.
Sandbox not enforced OS sandbox (Landlock/Pledge) unavailable. Remove --require-sandbox-enforced or upgrade kernel.

Questions?

Check the FAQ or contact support.

View FAQ Contact Support