diff --git a/src/cmd_encrypt.rs b/src/cmd_encrypt.rs
index ccd947b..969ae91 100644
--- a/src/cmd_encrypt.rs
+++ b/src/cmd_encrypt.rs
@@ -3,11 +3,13 @@ use std::path::PathBuf;
 
 use clap::Args;
 use rand::random;
+use rsa::Pkcs1v15Encrypt;
 use rust_util::{debugging, failure, opt_result, simple_error, success, XResult};
 
 use crate::config::{TinyEncryptConfig, TinyEncryptConfigEnvelop};
+use crate::crypto_rsa::parse_spki;
 use crate::spec::{EncMetadata, TinyEncryptEnvelop, TinyEncryptEnvelopType, TinyEncryptMeta};
-use crate::util::TINY_ENC_CONFIG_FILE;
+use crate::util::{encode_base64, TINY_ENC_CONFIG_FILE};
 
 #[derive(Debug, Args)]
 pub struct CmdEncrypt {
@@ -81,11 +83,14 @@ fn encrypt_envelop_ecdh(key: &[u8], envelop: &TinyEncryptConfigEnvelop) -> XResu
 
 
 fn encrypt_envelop_pgp(key: &[u8], envelop: &TinyEncryptConfigEnvelop) -> XResult<TinyEncryptEnvelop> {
+    let pgp_public_key = opt_result!(parse_spki(&envelop.public_part), "Parse PGP public key failed: {}");
+    let mut rng = rand::thread_rng();
+    let encrypted_key = opt_result!(pgp_public_key.encrypt(&mut rng, Pkcs1v15Encrypt, key), "PGP public key encrypt failed: {}");
     Ok(TinyEncryptEnvelop {
         r#type: envelop.r#type,
         kid: envelop.kid.clone(),
         desc: envelop.desc.clone(),
-        encrypted_key: "".to_string(), // TODO ...
+        encrypted_key: encode_base64(&encrypted_key),
     })
 }