diff --git a/src/main/java/me/hatter/tools/tinyencrypt/TinyEncryptArgs.java b/src/main/java/me/hatter/tools/tinyencrypt/TinyEncryptArgs.java
index d6b9306..1fd7bdc 100644
--- a/src/main/java/me/hatter/tools/tinyencrypt/TinyEncryptArgs.java
+++ b/src/main/java/me/hatter/tools/tinyencrypt/TinyEncryptArgs.java
@@ -28,6 +28,9 @@ public class TinyEncryptArgs {
     @CommandLine.Option(names = {"--compress"}, description = "Encrypt compress")
     boolean compress = false;
 
+    @CommandLine.Option(names = {"--require-sign"}, description = "Require signature when create data key")
+    boolean requireSign = false;
+
     @CommandLine.Option(names = {"-C", "--config"}, description = "Encrypt config")
     File config;
 
diff --git a/src/main/java/me/hatter/tools/tinyencrypt/TinyEncryptMain.java b/src/main/java/me/hatter/tools/tinyencrypt/TinyEncryptMain.java
index 981560a..1bb5e4e 100644
--- a/src/main/java/me/hatter/tools/tinyencrypt/TinyEncryptMain.java
+++ b/src/main/java/me/hatter/tools/tinyencrypt/TinyEncryptMain.java
@@ -200,7 +200,7 @@ public class TinyEncryptMain {
                 }
                 boolean result;
                 if (tinyEncryptArgs.encrypt) {
-                    result = EncryptedFileUtil.encryptFile(config, tinyEncryptArgs.key, f, tinyEncryptArgs.compress, tinyEncryptArgs.comment);
+                    result = EncryptedFileUtil.encryptFile(config, tinyEncryptArgs.key, f, tinyEncryptArgs.compress, tinyEncryptArgs.requireSign, tinyEncryptArgs.comment);
                 } else {
                     if (tinyEncryptArgs.showInWindow) {
                         EncryptedFileUtil.decryptInWindow(config, f, tinyEncryptArgs.pgp);
diff --git a/src/main/java/me/hatter/tools/tinyencrypt/encrypt/EncryptedFileUtil.java b/src/main/java/me/hatter/tools/tinyencrypt/encrypt/EncryptedFileUtil.java
index c7aa165..b79a2f8 100644
--- a/src/main/java/me/hatter/tools/tinyencrypt/encrypt/EncryptedFileUtil.java
+++ b/src/main/java/me/hatter/tools/tinyencrypt/encrypt/EncryptedFileUtil.java
@@ -136,7 +136,7 @@ public class EncryptedFileUtil {
         }
     }
 
-    public static boolean encryptFile(TinyEncryptConfig config, String keyName, File file, boolean compress, String comment) {
+    public static boolean encryptFile(TinyEncryptConfig config, String keyName, File file, boolean compress, boolean requireSign, String comment) {
         File encFile = getEncryptFile(file);
         if (encFile == null) {
             log.warn("Cannot encrypt .tinyenc file: " + file);
@@ -147,7 +147,7 @@ public class EncryptedFileUtil {
             return false;
         }
         try {
-            TinyEncryptMeta meta = TinyEncryptMetaUtil.create(config, comment);
+            TinyEncryptMeta meta = TinyEncryptMetaUtil.create(config, comment, requireSign);
             meta.setFileLength(file.length());
             meta.setFileLastModified(file.lastModified());
             meta.setCompress(compress);
diff --git a/src/main/java/me/hatter/tools/tinyencrypt/encrypt/TinyEncryptMetaUtil.java b/src/main/java/me/hatter/tools/tinyencrypt/encrypt/TinyEncryptMetaUtil.java
index 84ae5ab..6e43b8c 100644
--- a/src/main/java/me/hatter/tools/tinyencrypt/encrypt/TinyEncryptMetaUtil.java
+++ b/src/main/java/me/hatter/tools/tinyencrypt/encrypt/TinyEncryptMetaUtil.java
@@ -85,10 +85,13 @@ public class TinyEncryptMetaUtil {
         return Base64.getDecoder().decode(responseData.getString("dataKey"));
     }
 
-    public static TinyEncryptMeta create(TinyEncryptConfig config, String comment) {
-        requireLocalPrivateKeyPem(config);
+    public static TinyEncryptMeta create(TinyEncryptConfig config, String comment, boolean requireSignature) {
+        PrivateKey privateKey = null;
+        if (requireSignature) {
+            requireLocalPrivateKeyPem(config);
+            privateKey = KeyUtil.parsePrivateKeyPEM(config.getLocalPrivateKeyPem());
+        }
         PublicKey publicKey = KeyUtil.parsePublicKeyPEM(config.getLocalPublicKeyPem());
-        PrivateKey privateKey = KeyUtil.parsePrivateKeyPEM(config.getLocalPrivateKeyPem());
         PublicKey pgpEncryptPublicKey = null;
         if (StringUtil.isNotBlank(config.getPgpEncryptPublicKeyPem())) {
             pgpEncryptPublicKey = KeyUtil.parsePublicKeyPEM(config.getPgpEncryptPublicKeyPem());
@@ -97,14 +100,18 @@ public class TinyEncryptMetaUtil {
 
         String timestamp = String.valueOf(System.currentTimeMillis());
         String toBeSigned = name + "|" + timestamp;
-        Bytes sign = Signatures.sha256(privateKey).sign(toBeSigned);
+        Bytes sign = (privateKey == null) ? null : Signatures.sha256(privateKey).sign(toBeSigned);
 
         List<HttpRequest.KeyValue> keyValues = new ArrayList<>();
         keyValues.add(new HttpRequest.KeyValue("name", name));
         keyValues.add(new HttpRequest.KeyValue("timestamp", timestamp));
         keyValues.add(new HttpRequest.KeyValue("dataKeyPublicKey", KeyUtil.serializePublicKeyToPEM(publicKey)));
-        keyValues.add(new HttpRequest.KeyValue("dataKeyRequestSign", sign.asBase64()));
-        log.info("Get data key from kms, key name: " + name + " ...");
+        if (sign == null) {
+            keyValues.add(new HttpRequest.KeyValue("skipDataKeyRequestSignVerify", "true"));
+        } else {
+            keyValues.add(new HttpRequest.KeyValue("dataKeyRequestSign", sign.asBase64()));
+        }
+        log.info("Get data key from kms, key name: " + name + ", with sign: " + (sign != null) + " ...");
         Bytes response = HttpRequest.fromUrl(KMS_GET_DATA_KEY).post(keyValues);
         JSONObject responseObject = response.asJSON();
         if (responseObject.getIntValue("status") != 200) {