Command line

The bge CLI

Encrypt files and folders from your terminal — on macOS and Linux. Same files, same keys, same open format as the DotBGE apps.

View on GitHub Download a build ↗ v0.1.1 · macOS (universal) + Linux (x86_64, aarch64)

The bge command-line tool is the terminal companion to the DotBGE apps. It writes the open .bge format — RSA-4096-OAEP for sealing a file to a person, AES-256-GCM for the contents — with no servers, no accounts, and nothing to lock you in. .bge files and .bgekey identity cards round-trip with the apps for iPhone, iPad, and Mac.

Install

macOS · Homebrew
brew install --cask dotbge/tap/bge

The macOS build is a universal binary (Apple Silicon and Intel), signed with an Apple Developer ID and notarized, so it runs without Gatekeeper warnings. You can also download a .pkg or the standalone .zip from the releases page.

Linux (x86_64 or aarch64)

# download the tarball for your arch from the releases page, then:
tar xzf bge-<version>-linux-x86_64.tar.gz
sudo install bge-<version>-linux-x86_64/bge /usr/local/bin/bge
bge --version

The Linux binaries statically link the Swift runtime, so they run on any recent glibc-based distribution — no Swift install required.

Verify a download: shasum -a 256 -c SHA256SUMS (macOS) · sha256sum -c SHA256SUMS-linux (Linux).

Quick start

# 1. Make an identity key pair
bge keygen -o alice                        # → alice.pem (private) + alice.pub.pem

# 2. Encrypt for someone — only their private key can open it
bge encrypt report.pdf -r alice.pub.pem    # → report.pdf.bge

# 3. Decrypt with your private key
bge decrypt report.pdf.bge -k alice.pem    # → report.pdf

Run bge -h, or bge <command> -h, for every option. enc / dec are aliases for encrypt / decrypt.

How do I…?

The most common tasks, each as a one-liner. bge never overwrites by default — add -f only when you mean to.

Encrypt a file for someone?

You need their public key — a .pem, a .bgekey card, or a saved contact name. Only their private key can open the result.

bge encrypt report.pdf -r alice.pub.pem    # → report.pdf.bge
Encrypt to someone by name?

Save their key once, then encrypt by name. The address book lives in ~/.bge and holds public keys only.

bge contact add alice.pub.pem -n Alice
bge encrypt report.pdf -r Alice            # name is case-insensitive
Encrypt a file just for myself (a backup)?

With no recipient, bge seals the file to your own active identity — only your private key opens it.

bge identity add me.pub.pem -n Me          # once
bge encrypt taxes.pdf                       # → sealed to you
Encrypt with a password instead of keys?

Good when you can't exchange keys ahead of time — anyone with the passphrase can open it.

bge encrypt report.pdf -p                  # prompts for a passphrase
Decrypt a .bge file?
bge decrypt report.pdf.bge -k alice.pem    # identity → report.pdf
bge decrypt report.pdf.bge -p              # password file → prompts
Find out who a .bge file is for?

Keyless — reads only the public header. If the recipient is in your address book, it also prints Encrypted for: <name>.

bge inspect report.pdf.bge                 # mode, key ID, size — no key needed
Encrypt an entire folder?

Mirror the tree (browse files individually) or pack it into one archive that also hides the file names.

bge encrypt myfolder -r Alice              # → myfolder_bge/ (one .bge per file)
bge encrypt myfolder -a -r Alice           # → myfolder.zip.bge (one archive)
Bundle several files into one encrypted file?

Pass them with -abge zips and encrypts them for you; no temp folder needed.

bge encrypt a.pdf notes.txt photo.jpg -a -r Alice -o bundle.bge
bge decrypt bundle.bge -k alice.pem -x     # decrypt + unzip
Avoid leaving decrypted content on disk?

Pipe through stdin/stdout with -. Status goes to stderr, so stdout carries only data.

bge decrypt - -k alice.pem < archive.tgz.bge | tar xzf -
Run bge non-interactively in a script?

Prefer RSA keys (no prompt). For password mode, pipe the passphrase with --password-stdin — never put a secret on the command line.

printf %s "$PASSPHRASE" | bge encrypt notes.txt --password-stdin

Branch on the sysexits exit codes: 64 usage · 65 data · 66 no input · 77 can't decrypt.

Share my key so others can encrypt to me?

Wrap your public key into a .bgekey card the DotBGE apps import as a contact. No private key is read.

bge card alice.pub.pem -n "Alice"          # → Alice.bgekey
For Claude Code & AI agents

Let an agent do the encrypting

The repository ships a Claude Code skill so you can just ask — “encrypt report.pdf for Alice”, “decrypt this and summarise it” — and the agent runs bge safely, with no plaintext left lying around.

See bge for Claude Code & AI agents → — the scenarios it handles, the guardrails, and how to install the skill.

An open format, not a silo

The CLI uses file-based keys only and never stores private keys. It writes the same open .bge v3 container the apps do — documented, with test vectors, so your files outlive any single tool.

bge on GitHub Read the .bge spec ↗
How do I install the bge CLI?
On macOS: brew install --cask dotbge/tap/bge. On Linux, download the tarball for your architecture (x86_64 or aarch64) from GitHub releases and put bge on your PATH. The macOS build is a signed, notarized universal binary; the Linux builds need no Swift runtime.
Does it run on Linux?
Yes — static binaries are published for Linux on x86_64 and aarch64, alongside the macOS universal binary. They run on any recent glibc-based distro with nothing else to install.
Can I use it with Claude Code or an AI agent?
Yes. The repo ships a Claude Code skill (skills/bge-encryption) that teaches an agent to drive bge. Copy it into ~/.claude/skills/ and ask, e.g. “encrypt report.pdf for Alice.” See bge for AI agents for the full set of scenarios.
Are CLI files compatible with the DotBGE apps?
Yes. The CLI writes the same open .bge v3 format, so files and .bgekey identity cards round-trip with the apps for iPhone, iPad, and Mac.