lo/libsoliton
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions
Page: CLI
Pages
API Reference Audit and Testing C API CLI Formal Analysis Home Python Security Policy Specification WASM Zig
1 CLI
kamal edited this page 2026-04-02 20:50:16 +00:00
Table of Contents

CLI

Native command-line interface for post-quantum cryptographic operations. Wraps the core Rust library directly — no FFI overhead, no runtime dependencies.

Install

cargo install soliton-cli

The binary is named soliton.

Commands

soliton keygen

Generate an identity keypair (X-Wing + Ed25519 + ML-DSA-65).

soliton keygen                  # Writes identity.pk, identity.sk to current dir
soliton keygen -o keys/         # Writes to keys/ directory

Outputs the SHA3-256 fingerprint to stderr. Secret key file is created with mode 0600.

soliton fingerprint <pk>

Print the SHA3-256 fingerprint of a public key file.

soliton fingerprint identity.pk

soliton sign <sk> [file]

Hybrid sign a file (Ed25519 + ML-DSA-65). Reads stdin if no file is given.

soliton sign identity.sk message.txt              # Writes message.txt.sig
soliton sign identity.sk message.txt -o custom.sig # Custom output path
echo "hello" | soliton sign identity.sk            # Sign from stdin, sig to stdout

soliton verify <pk> <file>

Verify a hybrid signature. Exits 0 on success, 1 on failure.

soliton verify identity.pk message.txt              # Reads message.txt.sig
soliton verify identity.pk message.txt -s custom.sig # Custom sig path

soliton xwing-keygen

Generate an X-Wing keypair (for signed pre-keys or one-time pre-keys).

soliton xwing-keygen              # Writes xwing.pk, xwing.sk
soliton xwing-keygen -o keys/

soliton sign-prekey <sk> <spk_pub>

Sign a pre-key with an identity key.

soliton sign-prekey identity.sk xwing.pk            # Writes spk.sig
soliton sign-prekey identity.sk xwing.pk -o out.sig

soliton phrase <pk_a> <pk_b>

Generate a verification phrase from two public keys (6 EFF diceware words).

soliton phrase alice.pk bob.pk
# Output: "correct horse battery staple donor anxiety"

soliton encrypt

Encrypt a file or stdin with streaming AEAD (XChaCha20-Poly1305, 1 MiB chunks).

# With a key file (32 bytes)
soliton encrypt --key secret.key < plaintext > encrypted

# With a passphrase (Argon2id key derivation)
soliton encrypt --derive < plaintext > encrypted
# Prints salt to stderr — save it for decryption

# With a passphrase and explicit salt
soliton encrypt --derive --salt <hex> -o out.enc plaintext.txt

soliton decrypt

Decrypt a streaming AEAD file. Detects truncation (missing final chunk).

soliton decrypt --key secret.key < encrypted > plaintext
soliton decrypt --derive --salt <hex> -o plaintext.txt encrypted.enc

soliton argon2id

Derive key material from a passphrase via Argon2id. Generates a random salt and prints it to stderr.

soliton argon2id                                    # Defaults: 64 MiB, 3 passes, 4 lanes, 32 B
soliton argon2id -m 19456 -t 2 -p 1 -l 64          # OWASP minimum, 64-byte output

soliton version

Print the library version.

WASM Alternative

For environments without a Rust toolchain, the WASM package includes a Node-based CLI with the same commands:

bunx soliton-wasm keygen
bunx soliton-wasm sign identity.sk message.txt

See WASM for details. The native CLI is significantly faster.

Home

Documentation

Trust

Bindings

Source · docs.rs

AGPL-3.0-only · git.lo.sh/lo/libsoliton