HOW TO: Create Self Decrypting Archives (SDAs) with PGP Command Line

Article:TECH149019  |  Created: 2007-06-18  |  Updated: 2014-10-29  |  Article URL
Article Type
Technical Solution


PGP Command Line allows encrypting a file with a passphrase and decryption using the same passphrase. This answer provides instructions for creating a Self Decrypting Archive.


Note: This answer pertains to PGP Command Line 8.5 and above running in any supported operating system.




Creating Self Decrypting Archives (SDAs) with PGP Command Line

In order to create an SDA, use the following command:

pgp -e "file to encrypt" --sda --symmetric-passphrase "Enter Passphrase Here" -o "filename to output" --target-platform win32*

*Specify the target operating system: LINUX, SOLARIS, AIX, HPUX, OSX

When encrypting with platforms other than Win32, it will be necessary to specify the output without an extension as the default extension will be .exe and will only work with Windows Operating Systems.

For example, Mac OS will need to be specified without any extensions because decryption will occur using Terminal.


Caution: The PGP Self-Decrypting functionality is potentially less secure than encrypting with recipients' keys (although still highly secure) as the encryption is only as good as the passphrase being used and the method used to give the passphrase to the recipient. Email should not be used to send the passphrase to the recipient. Because only a passphrase is needed to decrypt, these types of files can be sent to those who do not have PGP installed.



Creating Self Decrypting Archives (SDAs) using an Additional Decryption Key (ADK)

PGP Command Line allows the use of Additional Decryption Keys when creating Self Decrypting Archives. This functionality is only available by using PGP Command Line so if the passphrase is lost or forgotten, the ADK can also decrypt the SDA.

To create a Self Decrypting Archive using the Additional Decryption Key, type the following command:

pgp -e sda.txt --sda --symmetric-passphrase "passphrase for SDA" -o sda.exe --adk "ADK Here"

To decrypt the file using the ADK type the following command:

pgp --decrypt sda.exe --passphrase "Passphrase of ADK here"


Note: To decrypt the Self Decrypting Archive with the Additional Decryption Key, PGP Command Line 9.0.x or above must be used.

By default, Self Decrypting Archives in PGP Command Line default to  using AES-256, unless the --cipher option is used in the command. Other ciphers such as --3des, --aes128, --aes192, --aes256 can be used, however keep in mind the encryption is only as good as the passphrase.

*PGP Desktop defaults to  using CAST5 which use 128-bits.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices