List of commands ​

• create-account[display-name] [email] [team-id] Create an account
• add-email[email] Add an email to the account
• list-team-invitations List team invitations
• join-team[team-id] Join team by id
• list-backup-keys List new backup keys
• encrypt[input..] Encrypt files
• decrypt[input..] Decrypt files
• add-recipients[input..] Authorize new recipients to read an encrypted file
• revoke[input..] Revoke recipients from reading an encrypted file
• get-file-info[input] Get information about an encrypted file
• watch-encrypt[input] [output] Watch a folder and encrypt all files written in it into another folder
• create-backup-key[output] Create a backup key
• load-backup-key[key] Load a backup key
• get-user-info [email] [id] Get information about a user
• add-sigchain-transaction [device-id..] Add a sigchain transaction into your sigchain
• change-db-password Change the database password - only for Seald-CLI
• request-recovery [email] [id] Create a recovery request
• validate-recovery [challenge] Validate a recovery request
• verify-recovery Instantiate account after recovery
• cancel-recovery-request Delete the existing recovery request
• set-device-name Set the name of the current device
• create-group Create a group
• renew-group-key Renew group key
• add-group-members Add members to a group
• remove-group-members Remove members from a group
• set-group-admin Set admin status of a group member
• list-groups List teams groups
• list-group-members List all members of a group
• validate-email Validate an email connector already added to the account
• use-jwt Use a JSON Web Token to join a team, or to add a connector to the current user.

These commands support global options.

create-account ​

The create-account command allows you to create an account and, optionally, add an email and join a team.

seald create-account [--display-name <display_name>] [--email <email> [--email-validation <validation_token>] [--force] [--team-id <team_id>]]

seald create-account [--display-name <display_name>] [--email <email> [--email-validation <validation_token>] [--force] [--team-id <team_id>]]

Examples ​

To create an account:

seald create-account

seald create-account

To create an account with an email :

seald create-account --display-name Tim --email tim@seald.io

seald create-account --display-name Tim --email tim@seald.io

To create an account with an email, and join a team:

seald create-account -d Tim -e tim@seald.io -t 00000000-0000-0000-0000-000000000000

seald create-account -d Tim -e tim@seald.io -t 00000000-0000-0000-0000-000000000000

To create an account with an email belonging to a pre-validated domain:

seald  create-account -d Tim -e tim@seald.io --force --email-validation 69ddb1130cab76a9f4639e25b442d0358687436bccbf21a3e61bd0c1a2888246107e1cf9fd05f80d607f68fc0c8286ce06275356a01c4bd0e275f055832a5cde

seald  create-account -d Tim -e tim@seald.io --force --email-validation 69ddb1130cab76a9f4639e25b442d0358687436bccbf21a3e61bd0c1a2888246107e1cf9fd05f80d607f68fc0c8286ce06275356a01c4bd0e275f055832a5cde

Options ​

• --display-name, -d Display name of the account. If you're using only the CLI, this cannot be changed afterwards. [string] [default: "CLI Account"]
• --device-name, -n Name of this device (36 chars max) [string] [required]
• --email, -e Email address of the account. [string] [default: null]
• --email-validation Automatic email validation token created by the admin. [string] [require: email ]
• --accept-license, --accept-licence Automatically accept the licence agreement and the privacy policy. [boolean] [default: false]
• --force, -f If there is a warning, add email anyway without confirmation. [boolean] [default: null]
• --team-id, -t ID of the team you want to join. Will be ignored if email is not specified. [string] [default: null] [require: email ]
• --accept-backup-keys Automatically accept all team backup keys (requires to join a team). [boolean] [default: false]
• --disable-db-password Disable getting asked for a password on DB creation. This option is not available for the desktop application. [boolean] [default: false]
• --signup-jwt, --jwt JWT to use. [string]

add-email ​

The add-email command allows you to add an email to the account.

This operation requires to already have created an account beforehand via the create-account command.

An account requires at least one email to be used, and can have several emails.

To validate the new email, it is necessary to enter a validation code that is sent by email to the address.

If the email address is already associated with another Seald account, a confirmation will be requested. The --force option allows you to skip this confirmation.

If you are using a pre-validated domain, you can use a validation token through the --email-validation option when using the create-account and add-email commands. Using this key automatically validates the email, and adds the user to the team.

seald add-email --email <email> [--email-validation <validation_token>] [--force]

seald add-email --email <email> [--email-validation <validation_token>] [--force]

Example ​

seald add-email --email tim@seald.io
seald add-email -e tim@seald.io --email-validation <validation_token> --force

seald add-email --email tim@seald.io
seald add-email -e tim@seald.io --email-validation <validation_token> --force

Options: ​

• --email, -e Email address of the account. [string] [default: null] [required]
• --email-validation Automatic email validation token created by the admin. [string]
• --skip-validation Do not valide the email. Email will need to be validated later using the validate-email command. [boolean] [default: false]
• --force, -f If there is a warning, add email anyway without confirmation. [boolean]
• --accept-backup-keys Automatically accept all team backup keys (requires to join a team). [boolean] [default: false]
• --auto-accept-contacts Whether or not to ask confirmation for new contacts. Defaults to demanding confirmation in strict mode, and not demanding it in non-strict mode. [boolean]

list-team-invitations ​

This operation requires to already have created an account and to have added at least one email.

This operation take no arguments.

seald list-team-invitations

seald list-team-invitations

Example ​

seald list-team-invitations

Output expected:
team: <team_name>, invited by: <inviter_email>, team ID: <team_id>

seald list-team-invitations

Output expected:
team: <team_name>, invited by: <inviter_email>, team ID: <team_id>

join-team ​

The join-team command allows you to join a team by accepting an invitation.

Can only be used after account has been created with at least one email.

seald join-team --team-id <team_id>

seald join-team --team-id <team_id>

Example ​

$ seald join-team --team-id 00000000-0000-0000-0000-000000000000

$ seald join-team --team-id 00000000-0000-0000-0000-000000000000

Options ​

• --team-id, -t UUID of the team you want to join. Will be ignored if email is not specified. [string] [default: null]
• --accept-backup-keys Automatically accept all team backup keys [boolean] [default: false]

list-backup-keys ​

The list-backup-keys command allows you to list and accept newly created backup keys

Can only be used after account has been created, and has joined a team.

seald list-backup-keys --accept-backup-keys

seald list-backup-keys --accept-backup-keys

Exemple ​

$ seald list-backup-keys --accept-backup-keys

$ seald list-backup-keys --accept-backup-keys

Options ​

• --accept-backup-keys Automatically accept all team backup keys [boolean] [default: false]

encrypt ​

The encrypt command allows you to encrypt one or more files.

Can only be used after account has been created, and has joined a team. If the strict mode is enabled, recipients without Seald are forbidden.

seald encrypt [--output <output_file>] [--recipients-ids <...recipients_ids>] [--recipients-emails <...recipients_emails>] [--recipients-emails-file <recipients_emails_file>] [--force-self] --input <files_to_encrypt..>

seald encrypt [--output <output_file>] [--recipients-ids <...recipients_ids>] [--recipients-emails <...recipients_emails>] [--recipients-emails-file <recipients_emails_file>] [--force-self] --input <files_to_encrypt..>

Alias ​

• encrypt-file

Examples ​

Encrypt a file only for yourself, without asking for confirmation:

seald encrypt --input path/example.pdf --output path/example.pdf.seald --force-self

seald encrypt --input path/example.pdf --output path/example.pdf.seald --force-self

Encrypt two files for two recipients:

seald encrypt -i 'path/example.pdf' 'path/annex.pdf' --recipients-ids JqTsYFZAAuSHVGofjmsg8g fjmsg8gJqTsYFZAAuSHVGo --emails 'email@domain.tld' 'email@domain.tld'

seald encrypt -i 'path/example.pdf' 'path/annex.pdf' --recipients-ids JqTsYFZAAuSHVGofjmsg8g fjmsg8gJqTsYFZAAuSHVGo --emails 'email@domain.tld' 'email@domain.tld'

Recursively encrypt a folder, with clear files deleted, display a warning if file encryption has failed on some files:

seald encrypt -i path/clearFiles/ -o path/encryptedFiles/ --emails-file path/recipients.txt --recursive --remove --on-error warn

seald encrypt -i path/clearFiles/ -o path/encryptedFiles/ --emails-file path/recipients.txt --recursive --remove --on-error warn

Options ​

• --input, -i, --file, --files, -f Path of the file to encrypt. [array] [required]
• --output, -o File to write the encrypted file to. Defaults to current directory, with the same name as the clear file + .seald [string]
• --recipients-ids, --uids IDs of the recipients to add. Can be of the form UID, or UID:sigchainHash to do a check of the sigchainHash. [array] [default: []]
• --recipients-emails, --emails Emails of the recipients to add. Can be of the form user@domain.ext, or user@domain.ext:sigchainHash to do a check of the sigchainHash. For non seald users, if your team has the option activated, you can specify a phone number using the format user@domain.ext#+33612345678. [array] [default: []]
• --recipients-emails-file, --emails-file Path of the file containing the recipients' emails. [string]
• --force-self Do not ask for confirmation when you set no recipients other than yourself. [boolean]
• --recursive, -r When given a directory, recursively encrypt all files inside [boolean]
• --retries When working on multiple files and there is an error, try this number of times. [number] [default: 3]
• --on-error When working on multiple files and there is an error, what is the behaviour. [string] [choices: "ignore", "warn", "fail"] [default: "fail"]
• --parallel When working on multiple files, run this number of tasks at the same time. [number] [default: 10]
• --remove, -R After encrypting a file, remove the clear one. When applied to a directory, also remove the directory. [boolean]
• --remove-files After encrypting a file, remove the clear one. When applied to a directory, only remove the files inside. [boolean]
• --on-same-file-name Behaviour when there is a conflict on the output file name [string] [choices: "overwrite", "error", "increment", "skip"] [default: "error"]
• --auto-accept-contacts Whether or not to ask confirmation for new contacts. Defaults to demanding confirmation in strict mode, and not demanding it in non-strict mode. [boolean]
• --progress Show progress bar. Enabled by default, use --no-progress to disable it. [boolean] [default: true]
• --encrypt-for-self Whether or not to include the current user as recipient. [boolean] [default: true]

decrypt ​

The decrypt command allows you to decrypt one or more files.

Can only be used after account has been created, and has joined a team.

seald decrypt --file <file_to_decrypt> [--output <output_directory>] [--offline-database <offline_database_path>] [--force] [--safe]

seald decrypt --file <file_to_decrypt> [--output <output_directory>] [--offline-database <offline_database_path>] [--force] [--safe]

Alias ​

• decrypt-file

Examples ​

Decrypt a file:

seald decrypt -i path/example.pdf.seald -o path/example.pdf

seald decrypt -i path/example.pdf.seald -o path/example.pdf

Decrypt a file using a key backup file:

seald decrypt -i path/example.pdf.seald -o path/example.pdf --offline-database path/backupFile.txt

seald decrypt -i path/example.pdf.seald -o path/example.pdf --offline-database path/backupFile.txt

Decrypt a folder recursively, displaying an alert if certain files cannot be decrypted:

seald decrypt -i path/encryptedFiles/ -o path/clearFiles/ --on-error warn --on-non-seald warn

seald decrypt -i path/encryptedFiles/ -o path/clearFiles/ --on-error warn --on-non-seald warn

Options ​

• --input, -i, --file, --files, -f Path of the file to decrypt. [array] [required]
• --output, --output-dir, -o File to write the clear file to. Defaults to current directory. [string]
• --offline-database, -d Offline backup of the database. [string]
• --force, -f Decrypt anyway even if there is a warning, without confirmation. Only when decrypting single files. Always true when decrypting multiple files. [array]
• --safe, -s Do not decrypt if there is a warning, without confirmation. [boolean]
• --recursive, -r When given a directory, recursively decrypt all files inside. [boolean]
• --retries When working on multiple files, and there is an error, try this number of times. [number] [default: 3]
• --on-error When working on multiple files, and there is an error, what is the behaviour. [string] [choices: "ignore", "warn", "fail"] [default: "fail"]
• --on-non-seald When working on multiple files, and we encounter a non-seald file, what is the behaviour. [string] [choices: "ignore", "warn", "fail"] [default: "warn"]
• --parallel When working on multiple files, run this number of tasks at the same time. [number] [default: 10]
• --remove, -R After decrypting a file, remove the encrypted one. When applied to a directory, also remove the directory. [boolean]
• --remove-files After decrypting a file, remove the encrypted one. When applied to a directory, only remove the files inside. [boolean]
• --progress Show progress bar. Enabled by default, use --no-progress to disable it. [boolean] [default: true]

add-recipients ​

The add-recipients command allows you to add recipients to an existing encrypted file.

Can only be used after account has been created, and has joined a team. If the strict mode is enabled, recipients without Seald are forbidden.

seald add-recipients [input..]

seald add-recipients [input..]

Alias ​

• authorize-recipients

Example ​

Add two users with Seald using their IDs, and two users without Seald using their email address.

seald add-recipients -i path/example.pdf.seald --uids JqTsYFZAAuSHVGofjmsg8g, fjmsg8gJqTsYFZAAuSHVGo --emails 'email@domain.tld' 'email@domain.tld'

seald add-recipients -i path/example.pdf.seald --uids JqTsYFZAAuSHVGofjmsg8g, fjmsg8gJqTsYFZAAuSHVGo --emails 'email@domain.tld' 'email@domain.tld'

Options ​

• --input, -f, --file, --files, -i Path of the encrypted file or files. [array] [required]
• --recipients-ids, --uids IDs of the recipients to add. Can be of the form UID, or UID:sigchainHash to do a check of the sigchainHash. [array] [default: []]
• --recipients-emails, --emails Emails of the recipients to add. Can be of the form user@domain.ext, or user@domain.ext:sigchainHash to do a check of the sigchainHash. For non seald users, if your team has the option activated, you can specify a phone number using the form user@domain.ext#+33612345678. To remove the phone number, use the format email#. [array] [default: []]
• --recipients-emails-file, --emails-file Path of the file containing the recipients' emails. [string]
• --recursive, -r When given a directory, recursively authorize all files inside. [boolean]
• --retries When working on multiple files, and there is an error, try this number of times [number] [default: 3]
• --on-error When working on multiple files, and there is an error, what is the behaviour [number] [default: 3]
• --on-non-seald When working on multiple files, and we encounter a non-Seald file, what is the behaviour. [string] [choices: "ignore", "warn", "fail"] [default: "warn"]
• --parallel When working on multiple files, run this number of tasks at the same time. [number] [default: 10]
• --auto-accept-contacts Whether or not to ask confirmation for new contacts. Defaults to demanding confirmation in strict mode, and not demanding it in non-strict mode. [boolean]
• --progress Show progress bar. Enabled by default, use --no-progress to disable it. [boolean] [default: true]

revoke ​

The revoke command allows you to revoke recipients to an existing encrypted file.

Can only be used after account has been created, and has joined a team.

seald revoke --file <...files_path> [--revoke-emails <...emails_to_revoke>] [--revoke-emails-file <emails_list_to_revoke>] [--revoke-ids <...ids_to_revoke>]

seald revoke --file <...files_path> [--revoke-emails <...emails_to_revoke>] [--revoke-emails-file <emails_list_to_revoke>] [--revoke-ids <...ids_to_revoke>]

Exemple ​

Revoke two users with seald using their uids, and two users without Seald using their email address:

seald revoke -i path/example.pdf.seald --uids JqTsYFZAAuSHVGofjmsg8g, fjmsg8gJqTsYFZAAuSHVGo --emails 'email@domain.tld' 'email@domain.tld'

seald revoke -i path/example.pdf.seald --uids JqTsYFZAAuSHVGofjmsg8g, fjmsg8gJqTsYFZAAuSHVGo --emails 'email@domain.tld' 'email@domain.tld'

Options ​

• --input, -f, --file, --files, -i Path of the encrypted file or files. [array] [required]
• --revoke-all, --all Revoke all recipients. [boolean]
• --revoke-others, --others Revoke everyone except this account. [boolean]
• --revoke-emails, --emails Emails of the recipients to revoke. [array]
• --revoke-emails-file, --emails-file File containing emails of the recipients to revoke. [string]
• --revoke-ids, --uids IDs of the recipients to revoke. [array]
• --recursive, -r When given a directory, recursively decrypt all files inside. [boolean]
• --retries When working on multiple files and there is an error, try this number of times. [number] [default: 3]
• --on-error When working on multiple files and there is an error, what is the behaviour. [string] [choices: "ignore", "warn", "fail"] [default: "fail"]
• --on-non-seald When working on multiple files and we encounter a non-seald file, what is the behaviour. [string] [choices: "ignore", "warn", "fail"] [default: "warn"]
• --parallel When working on multiple files, run this number of tasks at the same time. [number] [default: 10]
• --auto-accept-contacts Whether or not to ask confirmation for new contacts. Defaults to demanding confirmation in strict mode, and not demanding it in non-strict mode. [boolean]
• --progress Show progress bar. Enabled by default, use --no-progress to disable it. [boolean] [default: true]

get-file-info ​

The get-file-info command shows information about an encrypted file. This information is:

• Recipients.
• Revoked recipients.
• Acknowledgement of reading.

Can only be used after account has been created.

seald get-file-info --file <file_path>

seald get-file-info --file <file_path>

Exemple ​

Show informations of a file:

seald get-file-info --file path/example.pdf.seald

seald get-file-info --file path/example.pdf.seald

Options ​

• --input, -f, --file, --files, -i Path of the encrypted file. [string] [required]

watch-encrypt ​

Watch a folder and encrypt all files written to it into another folder. The tree structure is preserved.

Can only be used after account has been created, and has joined a team. If the strict mode is enabled, recipients without Seald are forbidden.

seald watch-encrypt --input <input_folder_path> --output <output_folder_path> [--remove] [--existing] [--recipients-ids <...recipients_ids>] [--recipients-emails <...recipients_emails>] [--recipients-emails-file <recipients_emails_file>]

seald watch-encrypt --input <input_folder_path> --output <output_folder_path> [--remove] [--existing] [--recipients-ids <...recipients_ids>] [--recipients-emails <...recipients_emails>] [--recipients-emails-file <recipients_emails_file>]

Options ​

• --input, -i Path of the folder to watch. [string] [required]
• --output, -o Path of the folder to which to write the encrypted files. [string] [required]
• --remove, -r Remove cleartext files once encrypted. [boolean]
• --existing, -e Also encrypt already existing files. [boolean]
• --retries When there is an error, try this number of times [number] [default: 3]
• --on-error When there is an error with a file encryption or file removal that exceeded the number of retries, should the process skip this specific file and just print a warning, or should it fail. [string] [choices: "skip", "fail"] [default: "fail"]
• --recipients-ids, --uids IDs of the recipients to add. Can be of the form UID, or UID:sigchainHash to do a check of the sigchainHash. [array] [default: []]
• --recipients-emails, --emails Emails of the recipients to add. Can be of the form user@domain.ext, or user@domain.ext:sigchainHash to do a check of the sigchainHash. For non seald users, if your team has the option activated, you can specify a phone number using the format user@domain.ext#+33612345678. [array] [default: []]
• --recipients-emails-file, --emails-file path of the file containing the recipients' emails. [string]
• --ignore-files, --ignore List of anymatch glob patterns to ignore. Matches in a case-insensitive way against the file names, not full paths. Do not forget to escape special characters, to avoid them being interpreted by your shell. [array] [default: []]
• --on-same-file-name Behaviour when there is a conflict on the output file name [string] [choices: "overwrite", "error", "increment", "skip"] [default: "error"]
• --auto-accept-contacts Whether or not to ask confirmation for new contacts. Defaults to demanding confirmation in strict mode, and not demanding it in non-strict mode. [boolean]
• --poll-interval Time to wait (in milliseconds) between checks of the file-system. [number] [default: 10000]
• --stable-time Time to wait (in milliseconds) between checks of a single file to see if it is still being written or not. [number] [default: 500]
• --method, -m, --watch-method Method to use to watch the input folder. Chokidar is the fastest and most CPU efficient, but in some cases other methods could be more reliable. [required] [choices: "chokidar", "chokidar-poll", "list", "checksum"] [default: "chokidar"]
• --parallel When working on multiple files, run this number of tasks at the same time (only for chokidar). [number] [default: 10]
• --encrypt-for-self Whether or not to include the current user as recipient. [boolean] [default: true]

Example ​

seald watch-encrypt -i input/path/ -o output/path/ -r -e --uids 'JqTsYFZAAuSHVGofjmsg8g' --on-same-file-name=increment

seald watch-encrypt -i input/path/ -o output/path/ -r -e --uids 'JqTsYFZAAuSHVGofjmsg8g' --on-same-file-name=increment

create-backup-key ​

Create a backup key.

Can only be used after account has been created, and has joined a team.

seald create-backup-key [--device-name <device_name>] [--output <output_file>]

seald create-backup-key [--device-name <device_name>] [--output <output_file>]

Options ​

• --output, -o File to which to output the created key. [string] [default: "./seald-cli-backup.seald_key"]
• --device-name, -n Name of the backup device. [string] [default: null]
• --key-password, -p Password to encrypt the key export. Empty string to export an unprotected key. If not specified, the CLI will ask for it later. [string]

Example ​

seald create-backup-key -o path/my-backup-key.seald_key -n my-backup-key

seald create-backup-key -o path/my-backup-key.seald_key -n my-backup-key

load-backup-key ​

Load a backup key.

Can only be used when no account has been created.

seald load-backup-key --key <key_file> [--offline]

seald load-backup-key --key <key_file> [--offline]

Options ​

• --key, -k File from which to load the backup key. [string] [required]
• --offline Do not try loading account data online after loading the key. [boolean]
• --disable-db-password Disable getting asked for a password on DB creation. This option is not available for the desktop application. [boolean] [default: false]
• --key-password, -p Password used to encrypt the exported key. If not specified, the CLI will ask for it later. [string]

Example ​

seald load-backup-key --key path/my-backup-key.seald_key --offline

seald load-backup-key --key path/my-backup-key.seald_key --offline

get-user-info ​

The get-user-info command shows information about a user. This information is:

• User's display name.
• User's id.
• Hash of its last sigchain block.
• Validity of its sigchain.
• User's known emails addresses.

If no arguments are provided, the command returns the information of the account used.

Can only be used after account has been created, and has joined a team.

seald get-user-info [--email email] [--id user-id]

seald get-user-info [--email email] [--id user-id]

Options ​

• --email, -e Email of the user about whom you want information. [string]
• --id, -id ID of the user about whom you want information. [string]

Exemple ​

Show informations of a user:

seald get-user-info --id G4ChkDGZR0eugk7z1TDwBA
seald get-user-info --email accountEmail-1@seald.io

Output expected:
User informations:
Display name: accountName
User id: G4ChkDGZR0eugk7z1TDwBA
Sigchain hash: ab5c744bff8e537fca62cdb2ef9c966cfda93c579b4113933e04dd245f9f7d4c
Sigchain is valid: true
Known email addresses:
  - accountEmail-1@seald.io
  - accountEmail-2@seald.io

seald get-user-info --id G4ChkDGZR0eugk7z1TDwBA
seald get-user-info --email accountEmail-1@seald.io

Output expected:
User informations:
Display name: accountName
User id: G4ChkDGZR0eugk7z1TDwBA
Sigchain hash: ab5c744bff8e537fca62cdb2ef9c966cfda93c579b4113933e04dd245f9f7d4c
Sigchain is valid: true
Known email addresses:
  - accountEmail-1@seald.io
  - accountEmail-2@seald.io

add-sigchain-transaction ​

The add-sigchain-transaction allow to manualy add a transaction to recover your sigchain from a bad state.

Can only be used after account has been created, and has joined a team.

seald add-sigchain-transaction [--type email] [--device-id device-id] [--created-at] [--expire-after] [--encryption-key-hash] [--encryption-key-b64] [--signing-key-hash] [--signing-key-b64] [--signer-key-hash] [--signer-key-b64] [--verify-sigchain]

seald add-sigchain-transaction [--type email] [--device-id device-id] [--created-at] [--expire-after] [--encryption-key-hash] [--encryption-key-b64] [--signing-key-hash] [--signing-key-b64] [--signer-key-hash] [--signer-key-b64] [--verify-sigchain]

Options ​

• --type, -t Type of the sigchain operation [string] [required] [choices: "creation", "revocation", "renewal"]
• --device-id, -d DeviceID of the sigchain operation [string] [required]
• --created-at, -c Timestamp of the transaction as standard UNIX timestamp. Defaults to now. [number]
• --expire-after, -a For key creations & renewals, duration in seconds during which they remain valid. Defaults to 3 years. [number]
• --encryption-key-hash, -e Hash of the operationEncryptionKey. It must be the current encryptionKey of one of the user's devices. Otherwise, use the encryption-key argument. [string]
• --encryption-key-b64 Full operationEncryptionKey to use, in Base64 format. [string]
• --signing-key-hash, -s Hash of the operationSigningKey. It must be the current signingKey of one of the user's devices. Otherwise, use the signing-key argument. [string]
• --signing-key-b64 Full operationSigningKey to use, in Base64 format. [string]
• --signer-key-hash, -S Hash of the signingKey with which to sign the operation. It must be this device's signingKey, or one of its old signing keys. Otherwise, use the signer-key argument. Defaults to the device's current signing key. [string]
• --signer-key-b64 Full signingKey with which to sign the operation to use, in Base64 format. [string]
• --verify-sigchain When adding the transaction, whether the server should verify that this transaction makes the sigchain valid, or not. [boolean] [default: true]

change-db-password ​

The change-db-password command can be used to set, change, or delete the database password.

This command is not available for the desktop application.

If a password is set, all the subsequent commands will need this password to be repeated.

Can only be used after database has been created.

seald change-db-password

seald change-db-password

request-recovery ​

The request-recovery command can be used to create an account recovery request.

Can only be used when no account has been created.

seald request-recovery [email] [user-id] [device-name]

seald request-recovery [email] [user-id] [device-name]

Options ​

• --email, -e Email of the account to recover [string] [required]
• --user-id Id of the account to recover [string]
• --device-name Name of the current device [string]
• --skip-validation Do not interactively await the validation code send by mail. You can validate it later using the validate-recovery command. [boolean] [default: false]

validate-recovery ​

The validate-recovery command can be used to validate an account recovery request

Can only be used when a recovery request has been created.

seald validate-recovery [challenge]

seald validate-recovery [challenge]

Options ​

• --challenge, -c Challenge sent by mail. Must be in the form 0000-0000 [string] [required]

verify-recovery ​

Instantiate a recovered account

Can only be used when a recovery request has been created, validated, and accepted by a team administrator.

seald verify-recovery

seald verify-recovery

cancel-recovery-request ​

Delete the existing recovery request

Can only be used when a recovery request has been created.

seald cancel-recovery-request

seald cancel-recovery-request

set-device-name ​

Set the name of the current device

Can only be used after account has been created.

seald set-device-name [device-name]

seald set-device-name [device-name]

Options ​

• --device-name, -n Name of this device (36 chars max) [string] [required]

create-group ​

Create a group.

Can only be used after account has been created.

seald create-group [group-name] [members-emails] [admins-emails]

seald create-group [group-name] [members-emails] [admins-emails]

Options ​

• --group-name, -n Name of the group [string] [required]
• --members-emails, --emails Emails of the group members. It must include yourself. [array]
• --members-ids, --uids IDs of the group members. It must include yourself. [array]
• --members-emails-file, --emails-file File containing emails of the group members. [string]
• --admins-emails Emails of the group administrators. Administrators must also be members. It must include yourself. [array]
• --admins-ids IDs of the group administrators. Administrators must also be members. It must include yourself. [array]
• --auto-accept-contacts Whether or not to ask confirmation for new contacts. Defaults to demanding confirmation in strict mode, and not demanding it in non-strict mode. [boolean] [default: null]

renew-group-key ​

Renew group key.

Can only be used after account has been created.

seald renew-group-key [group-id]

seald renew-group-key [group-id]

Options ​

• --group-id, --gid ID of the group [string] [required]

add-group-members ​

Add members to a group.

Can only be used after account has been created.

seald add-group-members [group-id] [new-members-emails]

seald add-group-members [group-id] [new-members-emails]

Options ​

• --group-id, --gid ID of the group [string] [required]
• --new-members-emails, --emails Emails of the group members to add. [array]
• --new-members-ids, --uids IDs of the group members to add. [array]
• --new-members-emails-file, --emails-file File containing emails of the group members to add. [string]
• --auto-accept-contacts Whether or not to ask confirmation for new contacts. Defaults to demanding confirmation in strict mode, and not demanding it in non-strict mode. [boolean] [default: null]

remove-group-members ​

Remove members from a group.
After removing a user, you should renew group keys.

Can only be used after account has been created.

seald remove-group-members [group-id] [members-to-remove-emails]

seald remove-group-members [group-id] [members-to-remove-emails]

Options ​

• --group-id, --gid ID of the group [string] [required]
• --members-to-remove-emails, --emails Emails of the group members to remove. [array]
• --members-to-remove-ids, --uids IDs of the group members to remove. [array]
• --members-to-remove-emails-file, --emails-file File containing emails of the group members to remove. [string]
• --auto-accept-contacts Whether or not to ask confirmation for new contacts. Defaults to demanding confirmation in strict mode, and not demanding it in non-strict mode. [boolean] [default: null]

set-group-admin ​

Set admin status of a group member. Can only be done by group admin.

Can only be used after account has been created.

seald set-group-admin [group-id] [member-email] [--new-status]

seald set-group-admin [group-id] [member-email] [--new-status]

Options ​

• --group-id, --gid ID of the group [string] [required]
• --member-email, --email Email of the group member to set admin status. [string]
• --member-id, --uid ID of the group member to set admin status. [string]
• --new-status, -s Status to set [boolean] [required]
• --auto-accept-contacts Whether or not to ask confirmation for new contacts. Defaults to demanding confirmation in strict mode, and not demanding it in non-strict mode. [boolean] [default: null]

list-groups ​

List teams groups.

Can only be used after account has been created.

seald list-groups

seald list-groups

Options ​

• --page, -p groups are listed by pages of 10 [number]
• --mine, -m Shows only the groups of which the user is a member [boolean]
• --all, -a List all group pages at once [boolean]

list-group-members ​

List all members of a group.

Can only be used after account has been created.

seald list-group-members [group-id]

seald list-group-members [group-id]

Options ​

• --group-id, --gid ID of the group [string] [required]

validate-email ​

Validate an email connector already added to the account

Can only be used after account has been created.

seald validate-email [email] [code]

seald validate-email [email] [code]

Options ​

• --email, -e Email address to validate. You must specify either email or email-connector-id. [string]
• --email-connector-id, --id ID of the email connector to validate. You must specify either email or email-connector-id. [string]
• --validation-code, --code Validation code sent to the email address. [string] [required]

use-jwt ​

Use a JSON Web Token to join a team, or to add a connector to the current user.

Can only be used after account has been created.

seald use-jwt

seald use-jwt

Options ​

• --jwt JWT to use [string] [required]
• --accept-backup-keys Automatically accept all team backup keys (only if the JWT adds you to a team) [boolean]

Global options ​

Help ​

To show the help, use the argument --help.

To show the version number, use the argument--version.

Log and debugging options ​

Three log levels are available by adding one of the following arguments:

• --verbose, -v Show logs. [default]
• --silly Show a lot of logs.
• --silent Show as little logs as possible.

Proxy ​

If Seald-CLI is running on a computer that has to connect through a proxy to access the internet, you can specify the URL of the proxy with the argument --proxy <url>.

Advanced options ​

These options are not available for the desktop application.

• --seald-dir Path of the seald-cli directory. [string] [default: "$HOME/.seald-cli"]
• --key-size Size of the private keys to generate, in bites. [number] [choices: 1024, 2048, 4096] [default: 4096]
• --strict-mode Enable strict mode. You will lose some features, but it will be more secure. [boolean] [default: false]
• --disable-error-reports Disable reporting of errors to Seald. [boolean] [default: false]
• --issuer-fingerprint Fingerprint of the certificate of the issuer of the API server's certificate. Multiple certificates can be comma-separated. [string] [default: "67:AD:D1:16:6B:02:0A:E6:1B:8F:5F:C9:68:13:C0:4C:2A:A5:89:96:07:96:86:55:72:A3:C7:E7:37:61:3D:FD,73:0C:1B:DC:D8:5F:57:CE:5D:C0:BB:A7:33:E5:F1:BA:5A:92:5B:2A:77:1D:64:0A:26:F7:A4:54:22:4D:AD:3B,46:49:4E:30:37:90:59:DF:18:BE:52:12:43:05:E6:06:FC:59:07:0E:5B:21:07:6C:E1:13:95:4B:60:51:7C:DA,1A:07:52:9A:8B:3F:01:D2:31:DF:AD:2A:BD:F7:18:99:20:0B:B6:5C:D7:E0:3C:59:FA:82:27:25:33:35:5B:74,5A:8F:16:FD:A4:48:D7:83:48:1C:CA:57:A2:42:8D:17:4D:AD:8C:60:94:3C:EB:28:F6:61:AE:31:FD:39:A5:FA,BA:CD:E0:46:30:53:CE:1D:62:F8:BE:74:37:0B:BA:E7:9D:4F:CA:F1:9F:C0:76:43:AE:F1:95:E6:A5:9B:D5:78,73:1D:3D:9C:FA:A0:61:48:7A:1D:71:44:5A:42:F6:7D:F0:AF:CA:2A:6C:2D:2F:98:FF:7B:3C:E1:12:B1:F5:68,25:84:7D:66:8E:B4:F0:4F:DD:40:B1:2B:6B:07:40:C5:67:DA:7D:02:43:08:EB:6C:2C:96:FE:41:D9:DE:21:8D"]
• --decrypt-url URL of the Seald decrypt server. [string] [default: "https://decrypt.seald.io/"]
• --api-url URL of the Seald API server. [string] [default: "https://api.seald.io/"]