feat: v1.9.20, simple-encrypt/simple-decrypt support iterations

feat: update gpg
feat: v1.9.18
2026-01-01 21:16:10 +08:00 · 2025-12-28 20:45:45 +08:00 · 2025-12-28 20:18:39 +08:00 · 2025-10-18 14:45:50 +08:00 · 2025-10-18 14:32:06 +08:00 · 2025-10-17 19:20:41 +08:00
22 changed files with 520 additions and 257 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -43,9 +43,9 @@ dependencies = [

 [[package]]
 name = "anstream"
-version = "0.6.20"
+version = "0.6.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3ae563653d1938f79b1ab1b5e668c87c76a9930414574a6583a7b7e11a8e6192"
+checksum = "43d5b281e737544384e969a5ccad3f1cdd24b48086a0fc1b2a5262a26b8f4f4a"
 dependencies = [
 "anstyle",
 "anstyle-parse",
@@ -58,9 +58,9 @@ dependencies = [

 [[package]]
 name = "anstyle"
-version = "1.0.11"
+version = "1.0.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "862ed96ca487e809f1c8e5a8447f6ee2cf102f846893800b20cebdf541fc6bbd"
+checksum = "5192cca8006f1fd4f7237516f40fa183bb07f8fbdfedaa0036de5ea9b0b45e78"

 [[package]]
 name = "anstyle-parse"
@@ -103,8 +103,8 @@ dependencies = [
 "nom",
 "num-traits",
 "rusticata-macros",
- "thiserror 2.0.16",
- "time 0.3.43",
+ "thiserror 2.0.17",
+ "time 0.3.44",
 ]

 [[package]]
@@ -206,9 +206,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"

 [[package]]
 name = "cc"
-version = "1.2.37"
+version = "1.2.41"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "65193589c6404eb80b450d618eaf9a2cafaaafd57ecce47370519ef674a7bd44"
+checksum = "ac9fe6cdbb24b6ade63616c0a0688e45bb56732262c158df3c0c4bea4ca47cb7"
 dependencies = [
 "find-msvc-tools",
 "jobserver",
@@ -248,7 +248,7 @@ dependencies = [
 "js-sys",
 "num-traits",
 "wasm-bindgen",
- "windows-link 0.2.0",
+ "windows-link",
 ]

 [[package]]
@@ -263,9 +263,9 @@ dependencies = [

 [[package]]
 name = "clap"
-version = "4.5.47"
+version = "4.5.49"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7eac00902d9d136acd712710d71823fb8ac8004ca445a89e73a41d45aa712931"
+checksum = "f4512b90fa68d3a9932cea5184017c5d200f5921df706d45e853537dea51508f"
 dependencies = [
 "clap_builder",
 "clap_derive",
@@ -273,9 +273,9 @@ dependencies = [

 [[package]]
 name = "clap_builder"
-version = "4.5.47"
+version = "4.5.49"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ad9bbf750e73b5884fb8a211a9424a1906c1e156724260fdae972f31d70e1d6"
+checksum = "0025e98baa12e766c67ba13ff4695a887a1eba19569aad00a472546795bd6730"
 dependencies = [
 "anstream",
 "anstyle",
@@ -285,9 +285,9 @@ dependencies = [

 [[package]]
 name = "clap_derive"
-version = "4.5.47"
+version = "4.5.49"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbfd7eae0b0f1a6e63d4b13c9c478de77c2eb546fba158ad50b4203dc24b9f9c"
+checksum = "2a0b5487afeab2deb2ff4e03a807ad1a03ac532ff5a2cee5d86884440c7f7671"
 dependencies = [
 "heck",
 "proc-macro2",
@@ -297,9 +297,9 @@ dependencies = [

 [[package]]
 name = "clap_lex"
-version = "0.7.5"
+version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b94f61472cee1439c0b966b47e3aca9ae07e45d070759512cd390ea2bebc6675"
+checksum = "a1d728cc89cf3aee9ff92b05e62b19ee65a02b5702cff7d5a377e32c6ae29d8d"

 [[package]]
 name = "colorchoice"
@@ -330,7 +330,7 @@ dependencies = [
 "libc",
 "once_cell",
 "unicode-width",
- "windows-sys 0.61.0",
+ "windows-sys 0.61.2",
 ]

 [[package]]
@@ -409,7 +409,7 @@ checksum = "881c5d0a13b2f1498e2306e82cbada78390e152d4b1378fb28a84f4dcd0dc4f3"
 dependencies = [
 "dispatch",
 "nix",
- "windows-sys 0.61.0",
+ "windows-sys 0.61.2",
 ]

 [[package]]
@@ -484,9 +484,9 @@ dependencies = [

 [[package]]
 name = "deranged"
-version = "0.5.3"
+version = "0.5.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d630bccd429a5bb5a64b5e94f693bfc48c9f8566418fda4c494cc94f911f87cc"
+checksum = "a41953f86f8a05768a6cda24def994fd2f424b04ec5c719cf89989779f199071"
 dependencies = [
 "powerfmt",
 ]
@@ -623,7 +623,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
 "libc",
- "windows-sys 0.61.0",
+ "windows-sys 0.61.2",
 ]

 [[package]]
@@ -663,9 +663,9 @@ checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"

 [[package]]
 name = "find-msvc-tools"
-version = "0.1.1"
+version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fd99930f64d146689264c637b5af2f0233a933bef0d8570e2526bf9e083192d"
+checksum = "52051878f80a721bb68ebfbc930e07b65ba72f2da88968ea5c06fd6ca3d3a127"

 [[package]]
 name = "flagset"
@@ -675,9 +675,9 @@ checksum = "b7ac824320a75a52197e8f2d787f6a38b6718bb6897a35142d749af3c0e8f4fe"

 [[package]]
 name = "flate2"
-version = "1.1.2"
+version = "1.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4a3d7db9596fecd151c5f638c0ee5d5bd487b6e0ea232e5dc96d5250f6f94b1d"
+checksum = "dc5a4e564e38c699f2880d3fda590bedc2e69f3f84cd48b457bd892ce61d0aa9"
 dependencies = [
 "crc32fast",
 "miniz_oxide",
@@ -714,9 +714,9 @@ checksum = "8f5f3913fa0bfe7ee1fd8248b6b9f42a5af4b9d65ec2dd2c3c26132b950ecfc2"

 [[package]]
 name = "generic-array"
-version = "0.14.7"
+version = "0.14.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+checksum = "4bb6743198531e02858aeaea5398fcc883e71851fcbcb5a2f773e2fb6cb1edf2"
 dependencies = [
 "typenum",
 "version_check",
@@ -743,7 +743,7 @@ dependencies = [
 "cfg-if",
 "libc",
 "r-efi",
- "wasi 0.14.5+wasi-0.2.4",
+ "wasi 0.14.7+wasi-0.2.4",
 ]

 [[package]]
@@ -818,6 +818,15 @@ dependencies = [
 "windows-sys 0.59.0",
 ]

+[[package]]
+name = "hybrid-array"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2d35805454dc9f8662a98d6d61886ffe26bd465f5960e0e55345c70d5c0d2a9"
+dependencies = [
+ "typenum",
+]
+
 [[package]]
 name = "iana-time-zone"
 version = "0.1.64"
@@ -903,9 +912,9 @@ dependencies = [

 [[package]]
 name = "js-sys"
-version = "0.3.78"
+version = "0.3.81"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c0b063578492ceec17683ef2f8c5e89121fbd0b172cbc280635ab7567db2738"
+checksum = "ec48937a97411dcb524a265206ccd4c90bb711fca92b2792c407f268825b9305"
 dependencies = [
 "once_cell",
 "wasm-bindgen",
@@ -922,6 +931,25 @@ dependencies = [
 "serde",
 ]

+[[package]]
+name = "keccak"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ecc2af9a1119c51f12a14607e783cb977bde58bc069ff0c3da1095e635d70654"
+dependencies = [
+ "cpufeatures",
+]
+
+[[package]]
+name = "kem"
+version = "0.3.0-pre.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b8645470337db67b01a7f966decf7d0bafedbae74147d33e641c67a91df239f"
+dependencies = [
+ "rand_core 0.6.4",
+ "zeroize",
+]
+
 [[package]]
 name = "lazy_static"
 version = "1.5.0"
@@ -933,9 +961,9 @@ dependencies = [

 [[package]]
 name = "libc"
-version = "0.2.175"
+version = "0.2.177"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a82ae493e598baaea5209805c49bbf2ea7de956d50d7da0da1164f9c6d28543"
+checksum = "2874a2af47a2325c2001a6e6fad9b16a53b802102b528163885171cf92b15976"

 [[package]]
 name = "libm"
@@ -945,9 +973,9 @@ checksum = "f9fbbcab51052fe104eb5e5d351cf728d30a5be1fe14d9be8a3b097481fb97de"

 [[package]]
 name = "libredox"
-version = "0.1.9"
+version = "0.1.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "391290121bad3d37fbddad76d8f5d1c1c314cfc646d143d7e07a3086ddff0ce3"
+checksum = "416f7e718bdb06000964960ffa43b4335ad4012ae8b99060261aa4a8088d5ccb"
 dependencies = [
 "bitflags",
 "libc",
@@ -973,9 +1001,9 @@ checksum = "34080505efa8e45a4b816c349525ebe327ceaa8559756f0356cba97ef3bf7432"

 [[package]]
 name = "memchr"
-version = "2.7.5"
+version = "2.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32a282da65faaf38286cf3be983213fcf1d2e2a58700e808f83f4ea9a4804bc0"
+checksum = "f52b00d39961fc5b2736ea853c9cc86238e165017a493d1d5c8eac6bdc4cc273"

 [[package]]
 name = "minimal-lexical"
@@ -990,6 +1018,20 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
 dependencies = [
 "adler2",
+ "simd-adler32",
+]
+
+[[package]]
+name = "ml-kem"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97befee0c869cb56f3118f49d0f9bb68c9e3f380dec23c1100aedc4ec3ba239a"
+dependencies = [
+ "hybrid-array",
+ "kem",
+ "rand_core 0.6.4",
+ "sha3",
+ "zeroize",
 ]

 [[package]]
@@ -1212,20 +1254,19 @@ checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"

 [[package]]
 name = "pest"
-version = "2.8.2"
+version = "2.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "21e0a3a33733faeaf8651dfee72dd0f388f0c8e5ad496a3478fa5a922f49cfa8"
+checksum = "989e7521a040efde50c3ab6bbadafbe15ab6dc042686926be59ac35d74607df4"
 dependencies = [
 "memchr",
- "thiserror 2.0.16",
 "ucd-trie",
 ]

 [[package]]
 name = "pest_derive"
-version = "2.8.2"
+version = "2.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bc58706f770acb1dbd0973e6530a3cff4746fb721207feb3a8a6064cd0b6c663"
+checksum = "187da9a3030dbafabbbfb20cb323b976dc7b7ce91fcd84f2f74d6e31d378e2de"
 dependencies = [
 "pest",
 "pest_generator",
@@ -1233,9 +1274,9 @@ dependencies = [

 [[package]]
 name = "pest_generator"
-version = "2.8.2"
+version = "2.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6d4f36811dfe07f7b8573462465d5cb8965fffc2e71ae377a33aecf14c2c9a2f"
+checksum = "49b401d98f5757ebe97a26085998d6c0eecec4995cad6ab7fc30ffdf4b052843"
 dependencies = [
 "pest",
 "pest_meta",
@@ -1246,9 +1287,9 @@ dependencies = [

 [[package]]
 name = "pest_meta"
-version = "2.8.2"
+version = "2.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "42919b05089acbd0a5dcd5405fb304d17d1053847b81163d09c4ad18ce8e8420"
+checksum = "72f27a2cfee9f9039c4d86faa5af122a0ac3851441a34865b8a043b46be0065a"
 dependencies = [
 "pest",
 "sha2",
@@ -1407,9 +1448,9 @@ checksum = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0"

 [[package]]
 name = "quote"
-version = "1.0.40"
+version = "1.0.41"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d"
+checksum = "ce25767e7b499d1b604768e7cde645d14cc8584231ea6b295e9c9eb22c02e1d1"
 dependencies = [
 "proc-macro2",
 ]
@@ -1627,7 +1668,7 @@ dependencies = [
 "errno",
 "libc",
 "linux-raw-sys 0.11.0",
- "windows-sys 0.61.0",
+ "windows-sys 0.61.2",
 ]

 [[package]]
@@ -1676,9 +1717,9 @@ dependencies = [

 [[package]]
 name = "security-framework"
-version = "3.4.0"
+version = "3.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "60b369d18893388b345804dc0007963c99b7d665ae71d275812d828c6f089640"
+checksum = "b3297343eaf830f66ede390ea39da1d462b6b0c1b000f420d0a83f898bbbe6ef"
 dependencies = [
 "bitflags",
 "core-foundation",
@@ -1699,24 +1740,34 @@ dependencies = [

 [[package]]
 name = "semver"
-version = "1.0.26"
+version = "1.0.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56e6fa9c48d24d85fb3de5ad847117517440f6beceb7798af16b4a87d616b8d0"
+checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"

 [[package]]
 name = "serde"
-version = "1.0.219"
+version = "1.0.228"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6"
+checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
+dependencies = [
+ "serde_core",
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_core"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
 dependencies = [
 "serde_derive",
 ]

 [[package]]
 name = "serde_derive"
-version = "1.0.219"
+version = "1.0.228"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00"
+checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -1725,14 +1776,15 @@ dependencies = [

 [[package]]
 name = "serde_json"
-version = "1.0.143"
+version = "1.0.145"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d401abef1d108fbd9cbaebc3e46611f4b1021f714a0597a71f41ee463f5f4a5a"
+checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
 dependencies = [
 "itoa",
 "memchr",
 "ryu",
 "serde",
+ "serde_core",
 ]

 [[package]]
@@ -1757,6 +1809,16 @@ dependencies = [
 "digest",
 ]

+[[package]]
+name = "sha3"
+version = "0.10.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75872d278a8f37ef87fa0ddbda7802605cb18344497949862c0d4dcb291eba60"
+dependencies = [
+ "digest",
+ "keccak",
+]
+
 [[package]]
 name = "shell-words"
 version = "1.1.0"
@@ -1779,6 +1841,12 @@ dependencies = [
 "rand_core 0.6.4",
 ]

+[[package]]
+name = "simd-adler32"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d66dc143e6b11c1eddc06d5c423cfc97062865baf299914ab64caa38182078fe"
+
 [[package]]
 name = "simpledateformat"
 version = "0.1.4"
@@ -1825,9 +1893,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"

 [[package]]
 name = "swift-secure-enclave-tool-rs"
-version = "1.2.3"
+version = "1.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "371944613f52b9f8ae07e571f8ec496bf3f23cc3705f06e80a826093fb19c021"
+checksum = "9edcbe35395fc8413d136a58861452159ec0367cef8b56aaf6c59edd1e0a0a1e"
 dependencies = [
 "base64 0.22.1",
 "hex",
@@ -1884,15 +1952,15 @@ dependencies = [

 [[package]]
 name = "tempfile"
-version = "3.22.0"
+version = "3.23.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "84fa4d11fadde498443cca10fd3ac23c951f0dc59e080e9f4b93d4df4e4eea53"
+checksum = "2d31c77bdf42a745371d260a26ca7163f1e0924b64afa0b688e61b5a9fa02f16"
 dependencies = [
 "fastrand",
 "getrandom 0.3.3",
 "once_cell",
 "rustix 1.1.2",
- "windows-sys 0.61.0",
+ "windows-sys 0.61.2",
 ]

 [[package]]
@@ -1936,11 +2004,11 @@ dependencies = [

 [[package]]
 name = "thiserror"
-version = "2.0.16"
+version = "2.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3467d614147380f2e4e374161426ff399c91084acd2363eaf549172b3d5e60c0"
+checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8"
 dependencies = [
- "thiserror-impl 2.0.16",
+ "thiserror-impl 2.0.17",
 ]

 [[package]]
@@ -1956,9 +2024,9 @@ dependencies = [

 [[package]]
 name = "thiserror-impl"
-version = "2.0.16"
+version = "2.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c5e1be1c48b9172ee610da68fd9cd2770e7a4056cb3fc98710ee6906f0c7960"
+checksum = "3ff15c8ecd7de3849db632e14d18d2571fa09dfc5ed93479bc4485c7a517c913"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -1978,11 +2046,12 @@ dependencies = [

 [[package]]
 name = "time"
-version = "0.3.43"
+version = "0.3.44"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "83bde6f1ec10e72d583d91623c939f623002284ef622b87de38cfd546cbf2031"
+checksum = "91e7d9e3bb61134e77bde20dd4825b97c010155709965fedf0f49bb138e52a9d"
 dependencies = [
 "deranged",
+ "itoa",
 "num-conv",
 "powerfmt",
 "serde",
@@ -2008,7 +2077,7 @@ dependencies = [

 [[package]]
 name = "tiny-encrypt"
-version = "1.9.14"
+version = "1.9.20"
 dependencies = [
 "aes-gcm-stream",
 "base64 0.22.1",
@@ -2023,6 +2092,7 @@ dependencies = [
 "hex",
 "indicatif",
 "json5",
+ "ml-kem",
 "openpgp-card",
 "openpgp-card-pcsc",
 "p256",
@@ -2048,6 +2118,7 @@ dependencies = [
 "x509-parser",
 "yubikey",
 "zeroize",
+ "zeroizing-alloc",
 ]

 [[package]]
@@ -2073,9 +2144,9 @@ dependencies = [

 [[package]]
 name = "typenum"
-version = "1.18.0"
+version = "1.19.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1dccffe3ce07af9386bfd29e80c0ab1a8205a2fc34e4bcd40364df902cfa8f3f"
+checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb"

 [[package]]
 name = "ucd-trie"
@@ -2091,9 +2162,9 @@ checksum = "f63a545481291138910575129486daeaf8ac54aee4387fe7906919f7830c7d9d"

 [[package]]
 name = "unicode-width"
-version = "0.2.1"
+version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4a1a07cc7db3810833284e8d372ccdc6da29741639ecc70c9ec107df0fa6154c"
+checksum = "b4ac048d71ede7ee76d585517add45da530660ef4390e49b098733c6e897f254"

 [[package]]
 name = "unit-prefix"
@@ -2154,27 +2225,27 @@ checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"

 [[package]]
 name = "wasi"
-version = "0.14.5+wasi-0.2.4"
+version = "0.14.7+wasi-0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4494f6290a82f5fe584817a676a34b9d6763e8d9d18204009fb31dceca98fd4"
+checksum = "883478de20367e224c0090af9cf5f9fa85bed63a95c1abf3afc5c083ebc06e8c"
 dependencies = [
 "wasip2",
 ]

 [[package]]
 name = "wasip2"
-version = "1.0.0+wasi-0.2.4"
+version = "1.0.1+wasi-0.2.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "03fa2761397e5bd52002cd7e73110c71af2109aca4e521a9f40473fe685b0a24"
+checksum = "0562428422c63773dad2c345a1882263bbf4d65cf3f42e90921f787ef5ad58e7"
 dependencies = [
 "wit-bindgen",
 ]

 [[package]]
 name = "wasm-bindgen"
-version = "0.2.101"
+version = "0.2.104"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7e14915cadd45b529bb8d1f343c4ed0ac1de926144b746e2710f9cd05df6603b"
+checksum = "c1da10c01ae9f1ae40cbfac0bac3b1e724b320abfcf52229f80b547c0d250e2d"
 dependencies = [
 "cfg-if",
 "once_cell",
@@ -2185,9 +2256,9 @@ dependencies = [

 [[package]]
 name = "wasm-bindgen-backend"
-version = "0.2.101"
+version = "0.2.104"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e28d1ba982ca7923fd01448d5c30c6864d0a14109560296a162f80f305fb93bb"
+checksum = "671c9a5a66f49d8a47345ab942e2cb93c7d1d0339065d4f8139c486121b43b19"
 dependencies = [
 "bumpalo",
 "log",
@@ -2199,9 +2270,9 @@ dependencies = [

 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.101"
+version = "0.2.104"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7c3d463ae3eff775b0c45df9da45d68837702ac35af998361e2c84e7c5ec1b0d"
+checksum = "7ca60477e4c59f5f2986c50191cd972e3a50d8a95603bc9434501cf156a9a119"
 dependencies = [
 "quote",
 "wasm-bindgen-macro-support",
@@ -2209,9 +2280,9 @@ dependencies = [

 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.101"
+version = "0.2.104"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7bb4ce89b08211f923caf51d527662b75bdc9c9c7aab40f86dcb9fb85ac552aa"
+checksum = "9f07d2f20d4da7b26400c9f4a0511e6e0345b040694e8a75bd41d578fa4421d7"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -2222,9 +2293,9 @@ dependencies = [

 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.101"
+version = "0.2.104"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f143854a3b13752c6950862c906306adb27c7e839f7414cec8fea35beab624c1"
+checksum = "bad67dc8b2a1a6e5448428adec4c3e84c43e561d8c9ee8a9e5aabeb193ec41d1"
 dependencies = [
 "unicode-ident",
 ]
@@ -2275,22 +2346,22 @@ checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"

 [[package]]
 name = "windows-core"
-version = "0.62.0"
+version = "0.62.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "57fe7168f7de578d2d8a05b07fd61870d2e73b4020e9f49aa00da8471723497c"
+checksum = "b8e83a14d34d0623b51dce9581199302a221863196a1dde71a7663a4c2be9deb"
 dependencies = [
 "windows-implement",
 "windows-interface",
- "windows-link 0.2.0",
+ "windows-link",
 "windows-result",
 "windows-strings",
 ]

 [[package]]
 name = "windows-implement"
-version = "0.60.0"
+version = "0.60.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a47fddd13af08290e67f4acabf4b459f647552718f683a7b415d290ac744a836"
+checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -2299,9 +2370,9 @@ dependencies = [

 [[package]]
 name = "windows-interface"
-version = "0.59.1"
+version = "0.59.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bd9211b69f8dcdfa817bfd14bf1c97c9188afa36f4750130fcdf3f400eca9fa8"
+checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -2310,32 +2381,26 @@ dependencies = [

 [[package]]
 name = "windows-link"
-version = "0.1.3"
+version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5e6ad25900d524eaabdbbb96d20b4311e1e7ae1699af4fb28c17ae66c80d798a"
-
-[[package]]
-name = "windows-link"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "45e46c0661abb7180e7b9c281db115305d49ca1709ab8242adf09666d2173c65"
+checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"

 [[package]]
 name = "windows-result"
-version = "0.4.0"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7084dcc306f89883455a206237404d3eaf961e5bd7e0f312f7c91f57eb44167f"
+checksum = "7781fa89eaf60850ac3d2da7af8e5242a5ea78d1a11c49bf2910bb5a73853eb5"
 dependencies = [
- "windows-link 0.2.0",
+ "windows-link",
 ]

 [[package]]
 name = "windows-strings"
-version = "0.5.0"
+version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7218c655a553b0bed4426cf54b20d7ba363ef543b52d515b3e48d7fd55318dda"
+checksum = "7837d08f69c77cf6b07689544538e017c1bfcf57e34b4c0ff58e6c2cd3b37091"
 dependencies = [
- "windows-link 0.2.0",
+ "windows-link",
 ]

 [[package]]
@@ -2362,16 +2427,16 @@ version = "0.60.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
 dependencies = [
- "windows-targets 0.53.3",
+ "windows-targets 0.53.5",
 ]

 [[package]]
 name = "windows-sys"
-version = "0.61.0"
+version = "0.61.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e201184e40b2ede64bc2ea34968b28e33622acdbbf37104f0e4a33f7abe657aa"
+checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
 dependencies = [
- "windows-link 0.2.0",
+ "windows-link",
 ]

 [[package]]
@@ -2392,19 +2457,19 @@ dependencies = [

 [[package]]
 name = "windows-targets"
-version = "0.53.3"
+version = "0.53.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d5fe6031c4041849d7c496a8ded650796e7b6ecc19df1a431c1a363342e5dc91"
+checksum = "4945f9f551b88e0d65f3db0bc25c33b8acea4d9e41163edf90dcd0b19f9069f3"
 dependencies = [
- "windows-link 0.1.3",
- "windows_aarch64_gnullvm 0.53.0",
- "windows_aarch64_msvc 0.53.0",
- "windows_i686_gnu 0.53.0",
- "windows_i686_gnullvm 0.53.0",
- "windows_i686_msvc 0.53.0",
- "windows_x86_64_gnu 0.53.0",
- "windows_x86_64_gnullvm 0.53.0",
- "windows_x86_64_msvc 0.53.0",
+ "windows-link",
+ "windows_aarch64_gnullvm 0.53.1",
+ "windows_aarch64_msvc 0.53.1",
+ "windows_i686_gnu 0.53.1",
+ "windows_i686_gnullvm 0.53.1",
+ "windows_i686_msvc 0.53.1",
+ "windows_x86_64_gnu 0.53.1",
+ "windows_x86_64_gnullvm 0.53.1",
+ "windows_x86_64_msvc 0.53.1",
 ]

 [[package]]
@@ -2415,9 +2480,9 @@ checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"

 [[package]]
 name = "windows_aarch64_gnullvm"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "86b8d5f90ddd19cb4a147a5fa63ca848db3df085e25fee3cc10b39b6eebae764"
+checksum = "a9d8416fa8b42f5c947f8482c43e7d89e73a173cead56d044f6a56104a6d1b53"

 [[package]]
 name = "windows_aarch64_msvc"
@@ -2427,9 +2492,9 @@ checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"

 [[package]]
 name = "windows_aarch64_msvc"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c7651a1f62a11b8cbd5e0d42526e55f2c99886c77e007179efff86c2b137e66c"
+checksum = "b9d782e804c2f632e395708e99a94275910eb9100b2114651e04744e9b125006"

 [[package]]
 name = "windows_i686_gnu"
@@ -2439,9 +2504,9 @@ checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"

 [[package]]
 name = "windows_i686_gnu"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c1dc67659d35f387f5f6c479dc4e28f1d4bb90ddd1a5d3da2e5d97b42d6272c3"
+checksum = "960e6da069d81e09becb0ca57a65220ddff016ff2d6af6a223cf372a506593a3"

 [[package]]
 name = "windows_i686_gnullvm"
@@ -2451,9 +2516,9 @@ checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"

 [[package]]
 name = "windows_i686_gnullvm"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ce6ccbdedbf6d6354471319e781c0dfef054c81fbc7cf83f338a4296c0cae11"
+checksum = "fa7359d10048f68ab8b09fa71c3daccfb0e9b559aed648a8f95469c27057180c"

 [[package]]
 name = "windows_i686_msvc"
@@ -2463,9 +2528,9 @@ checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"

 [[package]]
 name = "windows_i686_msvc"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "581fee95406bb13382d2f65cd4a908ca7b1e4c2f1917f143ba16efe98a589b5d"
+checksum = "1e7ac75179f18232fe9c285163565a57ef8d3c89254a30685b57d83a38d326c2"

 [[package]]
 name = "windows_x86_64_gnu"
@@ -2475,9 +2540,9 @@ checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"

 [[package]]
 name = "windows_x86_64_gnu"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2e55b5ac9ea33f2fc1716d1742db15574fd6fc8dadc51caab1c16a3d3b4190ba"
+checksum = "9c3842cdd74a865a8066ab39c8a7a473c0778a3f29370b5fd6b4b9aa7df4a499"

 [[package]]
 name = "windows_x86_64_gnullvm"
@@ -2487,9 +2552,9 @@ checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"

 [[package]]
 name = "windows_x86_64_gnullvm"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0a6e035dd0599267ce1ee132e51c27dd29437f63325753051e71dd9e42406c57"
+checksum = "0ffa179e2d07eee8ad8f57493436566c7cc30ac536a3379fdf008f47f6bb7ae1"

 [[package]]
 name = "windows_x86_64_msvc"
@@ -2499,15 +2564,15 @@ checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"

 [[package]]
 name = "windows_x86_64_msvc"
-version = "0.53.0"
+version = "0.53.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "271414315aff87387382ec3d271b52d7ae78726f5d44ac98b4f4030c91880486"
+checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650"

 [[package]]
 name = "wit-bindgen"
-version = "0.45.1"
+version = "0.46.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c573471f125075647d03df72e026074b7203790d41351cd6edc96f46bcccd36"
+checksum = "f17a85883d4e6d00e8a97c586de764dabcc06133f7f1d55dce5cdc070ad7fe59"

 [[package]]
 name = "x25519-dalek"
@@ -2548,8 +2613,8 @@ dependencies = [
 "nom",
 "oid-registry",
 "rusticata-macros",
- "thiserror 2.0.16",
- "time 0.3.43",
+ "thiserror 2.0.17",
+ "time 0.3.44",
 ]

 [[package]]
@@ -2607,9 +2672,9 @@ dependencies = [

 [[package]]
 name = "zeroize"
-version = "1.8.1"
+version = "1.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
+checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
 dependencies = [
 "zeroize_derive",
 ]
@@ -2624,3 +2689,9 @@ dependencies = [
 "quote",
 "syn",
 ]
+
+[[package]]
+name = "zeroizing-alloc"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebff5e6b81c1c7dca2d0bd333b2006da48cb37dbcae5a8da888f31fcb3c19934"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "tiny-encrypt"
-version = "1.9.14"
+version = "1.9.20"
 edition = "2021"
 license = "MIT"
 description = "A simple and tiny file encrypt tool"
@@ -55,6 +55,8 @@ swift-secure-enclave-tool-rs = "1.0"
 json5 = "0.4"
 external-command-rs = "0.1"
 percent-encoding = "2.3"
+ml-kem = { version = "0.2.1", features = ["zeroize"] }
+zeroizing-alloc = "0.1.0"

 [profile.release]
 codegen-units = 1
--- a/README.md
+++ b/README.md
@@ -114,19 +114,23 @@ Last, config key id to profile.

 Supported PKI encryption types:

-| Type             | Algorithm       | Description                             |
-|------------------|-----------------|-----------------------------------------|
-| pgp-rsa          | PKCS1-v1.5      | OpenPGP Encryption Key (Previous `pgp`) |
-| pgp-x25519       | ECDH(X25519)    | OpenPGP Encryption Key                  |
-| gpg              | OpenPGP         | GnuPG Command                           |
-| static-x25519    | ECDH(X25519)    | Key Stored in macOS Keychain Access     |
-| static-kyber1024 | Kyber1024       | Key Stored in macOS Keychain Access     |
-| piv-p256         | ECDH(secp256r1) | PIV Slot (Previous `ecdh`)              |
-| piv-p384         | ECDH(secp384r1) | PIV Slot (Previous `ecdh-p384`)         |
-| key-p256         | ECDH(secp256r1) | Key Stored in macOS Secure Enclave      |
-| ext-p256         | ECDH(secp256r1) | Key Protected by External Command       |
-| ext-p384         | ECDH(secp384r1) | Key Protected by External Command       |
-| piv-rsa          | PKCS1-v1.5      | PIV Slot                                |
+| Type             | Algorithm           | Description                                            |
+|------------------|---------------------|--------------------------------------------------------|
+| pgp-rsa          | PKCS1-v1.5          | OpenPGP Encryption Key (Previous `pgp`)                |
+| pgp-x25519       | ECDH(X25519)        | OpenPGP Encryption Key                                 |
+| gpg              | OpenPGP             | GnuPG Command                                          |
+| static-x25519    | ECDH(X25519)        | Key Stored in macOS Keychain Access                    |
+| static-kyber1024 | Kyber1024           | Key Stored in macOS Keychain Access                    |
+| piv-p256         | ECDH(secp256r1)     | PIV Slot (Previous `ecdh`)                             |
+| piv-p384         | ECDH(secp384r1)     | PIV Slot (Previous `ecdh-p384`)                        |
+| key-p256         | ECDH(secp256r1)     | Key Stored in macOS Secure Enclave (using P256)        |
+| key-mlkem768     | ML-KEM(ML-KEM-768)  | Key Stored in macOS Secure Enclave (using ML-KEM-768)  |
+| key-mlkem1024    | ML-KEM(ML-KEM-1024) | Key Stored in macOS Secure Enclave (using ML-KEM-1024) |
+| ext-p256         | ECDH(secp256r1)     | Key Protected by External Command                      |
+| ext-p384         | ECDH(secp384r1)     | Key Protected by External Command                      |
+| ext-mlkem768     | ML-KEM(ML-KEM-768)  | Key Protected by External Command                      |
+| ext-mlkem1024    | ML-KEM(ML-KEM-1024) | Key Protected by External Command                      |
+| piv-rsa          | PKCS1-v1.5          | PIV Slot                                               |

 Smart Card(Yubikey) protected ECDH Encryption description as below:

@@ -153,20 +157,24 @@ Smart Card(Yubikey) protected ECDH Encryption description as below:

 Environment

-| KEY                              | Comment                                     |
-|----------------------------------|---------------------------------------------|
-| TINY_ENCRYPT_CONFIG_FILE         | Config file                                 |
-| TINY_ENCRYPT_DEFAULT_ALGORITHM   | Encryption algorithm, `aes` or `chacha20`   |
-| TINY_ENCRYPT_DEFAULT_COMPRESS    | File compress, `1` or `on`, default `false` |
-| TINY_ENCRYPT_NO_PROGRESS         | Do not display progress bar                 |
-| TINY_ENCRYPT_NO_DEFAULT_PIN_HINT | Do not display default PIN hint             |
-| TINY_ENCRYPT_USE_DIALOGUER       | Use dialoguer                               |
-| TINY_ENCRYPT_PIN                 | PIV Card PIN                                |
-| TINY_ENCRYPT_KEY_ID              | Default Key ID                              |
-| TINY_ENCRYPT_AUTO_SELECT_KEY_IDS | Auto select Key IDs                         |
-| TINY_ENCRYPT_AUTO_COMPRESS_EXTS  | Auto compress file exts                     |
-| TINY_ENCRYPT_PIN_ENTRY           | PIN entry command cli                       |
-| TINY_ENCRYPT_EXTERNAL_COMMAND    | External command cli                        |
-| SECURE_EDITOR                    | Secure Editor                               |
-| EDITOR                           | Editor (Plaintext)                          |
+| KEY                              | Comment                                                        |
+|----------------------------------|----------------------------------------------------------------|
+| TINY_ENCRYPT_CONFIG_FILE         | Config file                                                    |
+| TINY_ENCRYPT_DEFAULT_ALGORITHM   | Encryption algorithm, `aes` or `chacha20`                      |
+| TINY_ENCRYPT_DEFAULT_COMPRESS    | File compress, `1` or `on`, default `false`                    |
+| TINY_ENCRYPT_NO_PROGRESS         | Do not display progress bar                                    |
+| TINY_ENCRYPT_NO_DEFAULT_PIN_HINT | Do not display default PIN hint                                |
+| TINY_ENCRYPT_USE_DIALOGUER       | Use dialoguer                                                  |
+| TINY_ENCRYPT_PIN                 | PIV Card PIN                                                   |
+| TINY_ENCRYPT_KEY_ID              | Default Key ID                                                 |
+| TINY_ENCRYPT_AUTO_SELECT_KEY_IDS | Auto select Key IDs                                            |
+| TINY_ENCRYPT_AUTO_COMPRESS_EXTS  | Auto compress file exts                                        |
+| TINY_ENCRYPT_PIN_ENTRY           | PIN entry command cli                                          |
+| TINY_ENCRYPT_EXTERNAL_COMMAND    | External command cli                                           |
+| SECURE_EDITOR                    | Secure Editor [\[OWS RFC6\]](https://openwebstandard.org/rfc6) |
+| EDITOR                           | Editor (Plaintext)                                             |

+Alternative environment setup:
+```shell
+~/.config/envs/ENV_VARIABLE_NAME  <--> File Content
+```
--- a/src/cmd_config.rs
+++ b/src/cmd_config.rs
@@ -54,6 +54,9 @@ pub struct CmdConfig {
    /// Temporary key output
    #[arg(long)]
    pub temporary_key: bool,
+    /// Hide __all__
+    #[arg(long)]
+    pub hide_all: bool,
    /// Encryption profile (use default when --key-filter is assigned)
    #[arg(long, short = 'p')]
    pub profile: Option<String>,
@@ -63,7 +66,7 @@ pub struct CmdConfig {
 }

 pub fn config(cmd_config: CmdConfig) -> XResult<()> {
-    let config = TinyEncryptConfig::load_default()?;
+    let config = TinyEncryptConfig::load_default(&None)?;

    if cmd_config.json {
        let mut config = config;
@@ -129,7 +132,7 @@ fn strip_field(kid: &str, max_len: usize) -> String {
    }
 }

-fn config_profiles(cmd_version: &CmdConfig, config: &TinyEncryptConfig) -> XResult<()> {
+fn config_profiles(cmd_config: &CmdConfig, config: &TinyEncryptConfig) -> XResult<()> {
    let mut reverse_map = HashMap::new();
    if let Some(profiles) = &config.profiles {
        for (p, v) in profiles {
@@ -148,6 +151,9 @@ fn config_profiles(cmd_version: &CmdConfig, config: &TinyEncryptConfig) -> XResu
        let mut ps: Vec<_> = pvs.iter().map(|pv| pv.0).collect();
        ps.sort();
        let pp = ps.iter().map(|s| s.to_string()).collect::<Vec<_>>().join(", ");
+        if cmd_config.hide_all && pp == "__all__" {
+            continue;
+        }
        let kids = pvs[0].1;
        let mut ks = Vec::with_capacity(kids.len());
        for kid in kids {
@@ -156,7 +162,7 @@ fn config_profiles(cmd_version: &CmdConfig, config: &TinyEncryptConfig) -> XResu
                    ks.push(format!("[ERROR] Key not found: {}", kid));
                }
                Some(envelop) => {
-                    let kid = if cmd_version.show_kid {
+                    let kid = if cmd_config.show_kid {
                        format!("Kid: {}", envelop.kid)
                    } else {
                        envelop.sid.as_ref()
--- a/src/cmd_decrypt.rs
+++ b/src/cmd_decrypt.rs
@@ -29,6 +29,8 @@ use crate::compress::GzStreamDecoder;
 use crate::config::TinyEncryptConfig;
 use crate::consts::{
    DATE_TIME_FORMAT,
+    ENC_AES256_GCM_MLKEM768, ENC_AES256_GCM_MLKEM1024,
+    ENC_CHACHA20_POLY1305_MLKEM768, ENC_CHACHA20_POLY1305_MLKEM1024,
    ENC_AES256_GCM_KYBER1204, ENC_AES256_GCM_P256, ENC_AES256_GCM_P384,
    ENC_AES256_GCM_X25519, ENC_CHACHA20_POLY1305_KYBER1204, ENC_CHACHA20_POLY1305_P256,
    ENC_CHACHA20_POLY1305_P384, ENC_CHACHA20_POLY1305_X25519,
@@ -93,6 +95,10 @@ pub struct CmdDecrypt {
    #[arg(long, short = 'A')]
    pub digest_algorithm: Option<String>,

+    /// Config file or based64 encoded (starts with: base64:)
+    #[arg(long)]
+    pub config: Option<String>,
+
    /// Files need to be decrypted
    pub paths: Vec<PathBuf>,
 }
@@ -106,7 +112,7 @@ impl Drop for CmdDecrypt {
 pub fn decrypt(cmd_decrypt: CmdDecrypt) -> XResult<()> {
    if cmd_decrypt.split_print { util_msg::set_logger_std_out(false); }
    debugging!("Cmd decrypt: {:?}", cmd_decrypt);
-    let config = TinyEncryptConfig::load_default().ok();
+    let config = TinyEncryptConfig::load_default(&cmd_decrypt.config).ok();

    let start = Instant::now();
    let mut succeed_count = 0;
@@ -468,7 +474,9 @@ pub fn try_decrypt_key(config: &Option<TinyEncryptConfig>,
        TinyEncryptEnvelopType::StaticX25519 => try_decrypt_key_ecdh_static_x25519(config, envelop),
        TinyEncryptEnvelopType::PivP256 | TinyEncryptEnvelopType::PivP384 => try_decrypt_piv_key_ecdh(config, envelop, pin, slot, silent),
        TinyEncryptEnvelopType::KeyP256 => try_decrypt_se_key_ecdh(config, envelop),
-        TinyEncryptEnvelopType::ExtP256 | TinyEncryptEnvelopType::ExtP384 => try_decrypt_ext_key_ecdh(config, envelop),
+        TinyEncryptEnvelopType::KeyMlKem768 | TinyEncryptEnvelopType::KeyMlKem1024 => try_decrypt_se_key_ecdh(config, envelop),
+        TinyEncryptEnvelopType::ExtP256 | TinyEncryptEnvelopType::ExtP384 |
+        TinyEncryptEnvelopType::ExtMlKem768 | TinyEncryptEnvelopType::ExtMlKem1024 => try_decrypt_ext_key_ecdh(config, envelop),
        TinyEncryptEnvelopType::PivRsa => try_decrypt_piv_key_rsa(config, envelop, pin, slot, silent),
        #[cfg(feature = "macos")]
        TinyEncryptEnvelopType::StaticKyber1024 => try_decrypt_key_ecdh_static_kyber1204(config, envelop),
@@ -558,8 +566,8 @@ fn try_decrypt_se_key_ecdh(config: &Option<TinyEncryptConfig>,
                           envelop: &TinyEncryptEnvelop) -> XResult<Vec<u8>> {
    let wrap_key = WrapKey::parse(&envelop.encrypted_key)?;
    let cryptor = match wrap_key.header.enc.as_str() {
-        ENC_AES256_GCM_P256 => Cryptor::Aes256Gcm,
-        ENC_CHACHA20_POLY1305_P256 => Cryptor::ChaCha20Poly1305,
+        ENC_AES256_GCM_P256 | ENC_AES256_GCM_MLKEM768 | ENC_AES256_GCM_MLKEM1024 => Cryptor::Aes256Gcm,
+        ENC_CHACHA20_POLY1305_P256 | ENC_CHACHA20_POLY1305_MLKEM768 | ENC_CHACHA20_POLY1305_MLKEM1024 => Cryptor::ChaCha20Poly1305,
        _ => return simple_error!("Unsupported header enc: {}", &wrap_key.header.enc),
    };
    let e_pub_key_bytes = wrap_key.header.get_e_pub_key_bytes()?;
@@ -587,6 +595,7 @@ fn try_decrypt_se_key_ecdh(config: &Option<TinyEncryptConfig>,
    };

    let shared_secret = opt_result!(util_keychainkey::decrypt_data(
+                envelop.r#type,
                &private_key_base64,
                &e_pub_key_bytes
            ), "Decrypt via secure enclave failed: {}");
@@ -603,8 +612,11 @@ fn try_decrypt_ext_key_ecdh(config: &Option<TinyEncryptConfig>,
                           envelop: &TinyEncryptEnvelop) -> XResult<Vec<u8>> {
    let wrap_key = WrapKey::parse(&envelop.encrypted_key)?;
    let cryptor = match wrap_key.header.enc.as_str() {
-        ENC_AES256_GCM_P256 | ENC_AES256_GCM_P384 => Cryptor::Aes256Gcm,
-        ENC_CHACHA20_POLY1305_P256 | ENC_CHACHA20_POLY1305_P384 => Cryptor::ChaCha20Poly1305,
+        ENC_AES256_GCM_P256 | ENC_AES256_GCM_P384 |
+        ENC_AES256_GCM_MLKEM768 | ENC_AES256_GCM_MLKEM1024 => Cryptor::Aes256Gcm,
+
+        ENC_CHACHA20_POLY1305_P256 | ENC_CHACHA20_POLY1305_P384 |
+        ENC_CHACHA20_POLY1305_MLKEM768 | ENC_CHACHA20_POLY1305_MLKEM1024 => Cryptor::ChaCha20Poly1305,
        _ => return simple_error!("Unsupported header enc: {}", &wrap_key.header.enc),
    };
    let e_pub_key_bytes = wrap_key.header.get_e_pub_key_bytes()?;
--- a/src/cmd_encrypt.rs
+++ b/src/cmd_encrypt.rs
@@ -12,24 +12,20 @@ use rust_util::{debugging, failure, iff, information, opt_result, simple_error,

 use crate::compress::GzStreamEncoder;
 use crate::config::{TinyEncryptConfig, TinyEncryptConfigEnvelop};
-use crate::consts::{
-    ENC_AES256_GCM_KYBER1204, ENC_AES256_GCM_P256, ENC_AES256_GCM_P384, ENC_AES256_GCM_X25519,
-    ENC_CHACHA20_POLY1305_KYBER1204, ENC_CHACHA20_POLY1305_P256, ENC_CHACHA20_POLY1305_P384,
-    ENC_CHACHA20_POLY1305_X25519, SALT_COMMENT, TINY_ENC_FILE_EXT, TINY_ENC_PEM_FILE_EXT,
-    TINY_ENC_PEM_NAME,
-};
+use crate::consts::{ENC_AES256_GCM_KYBER1204, ENC_AES256_GCM_MLKEM1024, ENC_AES256_GCM_MLKEM768, ENC_AES256_GCM_P256, ENC_AES256_GCM_P384, ENC_AES256_GCM_X25519, ENC_CHACHA20_POLY1305_KYBER1204, ENC_CHACHA20_POLY1305_MLKEM1024, ENC_CHACHA20_POLY1305_MLKEM768, ENC_CHACHA20_POLY1305_P256, ENC_CHACHA20_POLY1305_P384, ENC_CHACHA20_POLY1305_X25519, SALT_COMMENT, TINY_ENC_FILE_EXT, TINY_ENC_PEM_FILE_EXT, TINY_ENC_PEM_NAME};
 use crate::crypto_cryptor::{Cryptor, KeyNonce};
 use crate::spec::{
    EncEncryptedMeta, EncMetadata,
    TinyEncryptEnvelop, TinyEncryptEnvelopType, TinyEncryptMeta,
 };
-use crate::util::{is_tiny_enc_file, to_pem};
+use crate::util::{decode_base64, is_tiny_enc_file, to_pem};
 use crate::util_ecdh::{ecdh_kyber1024, ecdh_p256, ecdh_p384, ecdh_x25519};
 use crate::util_progress::Progress;
-use crate::util_rsa;
+use crate::{util_mlkem, util_rsa};
 use crate::wrap_key::{WrapKey, WrapKeyHeader};
 use crate::{crypto_cryptor, crypto_simple, util, util_enc_file, util_env, util_gpg};
 use crate::temporary_key::parse_temporary_keys;
+use crate::util_mlkem::MlKemAlgo;

 #[derive(Debug, Args)]
 pub struct CmdEncrypt {
@@ -81,12 +77,16 @@ pub struct CmdEncrypt {
    #[arg(long, short = 'A')]
    pub encryption_algorithm: Option<String>,

+    /// Config file or based64 encoded (starts with: base64:)
+    #[arg(long)]
+    pub config: Option<String>,
+
    /// Files need to be decrypted
    pub paths: Vec<PathBuf>,
 }

 pub fn encrypt(cmd_encrypt: CmdEncrypt) -> XResult<()> {
-    let config = TinyEncryptConfig::load_default()?;
+    let config = TinyEncryptConfig::load_default(&cmd_encrypt.config)?;
    debugging!("Found tiny encrypt config: {:?}", config);
    let mut envelops = config.find_envelops(&cmd_encrypt.profile, &cmd_encrypt.key_filter)?;
    debugging!("Found envelops: {:?}", envelops);
@@ -336,6 +336,10 @@ pub fn encrypt_envelops(cryptor: Cryptor, key: &[u8], envelops: &[&TinyEncryptCo
            TinyEncryptEnvelopType::StaticKyber1024 => {
                encrypted_envelops.push(encrypt_envelop_ecdh_kyber1204(cryptor, key, envelop)?);
            }
+            TinyEncryptEnvelopType::KeyMlKem768 | TinyEncryptEnvelopType::KeyMlKem1024 |
+            TinyEncryptEnvelopType::ExtMlKem768 | TinyEncryptEnvelopType::ExtMlKem1024 => {
+                encrypted_envelops.push(encrypt_envelop_ecdh_ml_kem(cryptor, key, envelop)?);
+            }
            _ => return simple_error!("Not supported type: {:?}", envelop.r#type),
        }
    }
@@ -382,6 +386,19 @@ fn encrypt_envelop_ecdh_kyber1204(cryptor: Cryptor, key: &[u8], envelop: &TinyEn
    encrypt_envelop_shared_secret(cryptor, key, &shared_secret, &ephemeral_spki, enc_type, envelop)
 }

+fn encrypt_envelop_ecdh_ml_kem(cryptor: Cryptor, key: &[u8], envelop: &TinyEncryptConfigEnvelop) -> XResult<TinyEncryptEnvelop> {
+    let public_key_base64 = &envelop.public_part;
+    let public_key = opt_result!(decode_base64(public_key_base64), "Decode ML-KEM public key from base64 failed: {}");
+    let (shared_secret, ciphertext, ml_kem_algo) = util_mlkem::try_ml_kem_encapsulate(&public_key)?;
+    let enc_type = match (cryptor, ml_kem_algo) {
+        (Cryptor::Aes256Gcm, MlKemAlgo::MlKem768) => ENC_AES256_GCM_MLKEM768,
+        (Cryptor::Aes256Gcm, MlKemAlgo::MlKem1024) => ENC_AES256_GCM_MLKEM1024,
+        (Cryptor::ChaCha20Poly1305, MlKemAlgo::MlKem768) => ENC_CHACHA20_POLY1305_MLKEM768,
+        (Cryptor::ChaCha20Poly1305, MlKemAlgo::MlKem1024) => ENC_CHACHA20_POLY1305_MLKEM1024,
+    };
+    encrypt_envelop_shared_secret(cryptor, key, &shared_secret, &ciphertext, enc_type, envelop)
+}
+
 fn encrypt_envelop_shared_secret(cryptor: Cryptor,
                                 key: &[u8],
                                 shared_secret: &[u8],
--- a/src/cmd_execenv.rs
+++ b/src/cmd_execenv.rs
@@ -29,6 +29,10 @@ pub struct CmdExecEnv {
    #[arg(long, short = 's')]
    pub slot: Option<String>,

+    /// Config file or based64 encoded (starts with: base64:)
+    #[arg(long)]
+    pub config: Option<String>,
+
    /// Tiny encrypt file name
    pub file_name: String,

@@ -45,7 +49,7 @@ impl Drop for CmdExecEnv {
 pub fn exec_env(cmd_exec_env: CmdExecEnv) -> XResult<()> {
    util_msg::set_logger_std_out(false);
    debugging!("Cmd exec env: {:?}", cmd_exec_env);
-    let config = TinyEncryptConfig::load_default().ok();
+    let config = TinyEncryptConfig::load_default(&cmd_exec_env.config).ok();
    if cmd_exec_env.command_arguments.is_empty() {
        return simple_error!("No commands assigned.");
    }
--- a/src/cmd_info.rs
+++ b/src/cmd_info.rs
@@ -23,12 +23,16 @@ pub struct CmdInfo {
    #[arg(long, short = 'M', default_value_t = false)]
    pub raw_meta: bool,

+    /// Config file or based64 encoded (starts with: base64:)
+    #[arg(long)]
+    pub config: Option<String>,
+
    /// File
    pub paths: Vec<PathBuf>,
 }

 pub fn info(cmd_info: CmdInfo) -> XResult<()> {
-    let config = TinyEncryptConfig::load_default().ok();
+    let config = TinyEncryptConfig::load_default(&cmd_info.config).ok();
    for (i, path) in cmd_info.paths.iter().enumerate() {
        let path = config::resolve_path_namespace(&config, path, true);
        if i > 0 { println!("{}", "-".repeat(88)); }
--- a/src/cmd_initkeychain.rs
+++ b/src/cmd_initkeychain.rs
@@ -88,6 +88,7 @@ pub fn keychain_key_se(cmd_init_keychain: CmdInitKeychain) -> XResult<()> {
        desc: Some("Keychain Secure Enclave".to_string()),
        args: Some(vec![saved_arg0]),
        public_part: public_key_hex,
+        profiles: None,
    };

    information!("Config envelop:\n{}", serde_json::to_string_pretty(&config_envelop).unwrap());
@@ -175,6 +176,7 @@ pub fn keychain_key_static(cmd_init_keychain: CmdInitKeychain) -> XResult<()> {
        desc: Some("Keychain static".to_string()),
        args: Some(vec![keychain_key.to_str()]),
        public_part: public_key_hex,
+        profiles: None,
    };

    information!("Config envelop:\n{}", serde_json::to_string_pretty(&config_envelop).unwrap());
--- a/src/cmd_initpiv.rs
+++ b/src/cmd_initpiv.rs
@@ -69,6 +69,7 @@ pub fn init_piv(cmd_init_piv: CmdInitPiv) -> XResult<()> {
                        slot_id_hex.clone()
                    ]),
                    public_part: public_key_point_hex,
+                    profiles: None,
                };

                information!("Config envelop:\n{}", serde_json::to_string_pretty(&config_envelop).unwrap());
@@ -84,6 +85,7 @@ pub fn init_piv(cmd_init_piv: CmdInitPiv) -> XResult<()> {
                        slot_id_hex.clone()
                    ]),
                    public_part: util::to_pem(&spki, "PUBLIC KEY"),
+                    profiles: None,
                };

                information!("Config envelop:\n{}", serde_json::to_string_pretty(&config_envelop).unwrap());
--- a/src/cmd_simple_encrypt_decrypt.rs
+++ b/src/cmd_simple_encrypt_decrypt.rs
@@ -50,10 +50,18 @@ pub struct CmdSimpleEncrypt {
    #[arg(long, short = 'P')]
    pub with_pbkdf_encryption: bool,

+    /// PBKDF iterations (default: 10000)
+    #[arg(long, short = 'i')]
+    pub pbkdf_iterations: Option<u32>,
+
    /// PBKDF encryption password
    #[arg(long, short = 'A')]
    pub password: Option<String>,

+    /// Config file or based64 encoded (starts with: base64:)
+    #[arg(long)]
+    pub config: Option<String>,
+
    /// Direct output result value
    #[arg(long)]
    pub outputs_password: bool,
@@ -93,6 +101,10 @@ pub struct CmdSimpleDecrypt {
    #[arg(long, short = 'A')]
    pub password: Option<String>,

+    /// Config file or based64 encoded (starts with: base64:)
+    #[arg(long)]
+    pub config: Option<String>,
+
    /// Direct output result value
    #[arg(long)]
    pub outputs_password: bool,
@@ -193,7 +205,7 @@ pub fn simple_decrypt(cmd_simple_decrypt: CmdSimpleDecrypt) -> XResult<()> {
 }

 pub fn inner_simple_encrypt(cmd_simple_encrypt: CmdSimpleEncrypt) -> XResult<()> {
-    let config = TinyEncryptConfig::load_default()?;
+    let config = TinyEncryptConfig::load_default(&cmd_simple_encrypt.config)?;
    debugging!("Found tiny encrypt config: {:?}", config);

    let mut envelops = config.find_envelops(
@@ -237,7 +249,8 @@ pub fn inner_simple_encrypt(cmd_simple_encrypt: CmdSimpleEncrypt) -> XResult<()>
    let mut outputs_password = None;
    if with_pbkdf_encryption {
        let password = util::read_password(&cmd_simple_encrypt.password)?;
-        simple_encrypt_result = SimplePbkdfEncryptionV1::encrypt(&password, simple_encrypt_result.as_bytes())?.to_string();
+        simple_encrypt_result = SimplePbkdfEncryptionV1::encrypt(&password, simple_encrypt_result.as_bytes(),
+                                                                 &cmd_simple_encrypt.pbkdf_iterations)?.to_string();
        if cmd_simple_encrypt.outputs_password {
            outputs_password = Some(password);
        }
@@ -248,7 +261,7 @@ pub fn inner_simple_encrypt(cmd_simple_encrypt: CmdSimpleEncrypt) -> XResult<()>

 #[cfg(feature = "decrypt")]
 pub fn inner_simple_decrypt(cmd_simple_decrypt: CmdSimpleDecrypt) -> XResult<()> {
-    let config = TinyEncryptConfig::load_default().ok();
+    let config = TinyEncryptConfig::load_default(&cmd_simple_decrypt.config).ok();

    let pin = cmd_simple_decrypt.pin.clone().or_else(util_env::get_pin);
    let slot = cmd_simple_decrypt.slot.clone();
--- a/src/config.rs
+++ b/src/config.rs
@@ -3,12 +3,13 @@ use std::collections::HashMap;
 use std::path::Path;
 use std::path::PathBuf;
 use std::{env, fs};
-use rust_util::util_env as rust_util_env;
+use rust_util::{util_env as rust_util_env};
 use rust_util::util_file::resolve_file_path;
 use rust_util::{debugging, opt_result, warning, XResult};
 use serde::{Deserialize, Serialize};
 use crate::consts::{ENV_TINY_ENC_CONFIG_FILE, TINY_ENC_CONFIG_FILE, TINY_ENC_CONFIG_FILE_2, TINY_ENC_CONFIG_FILE_3, TINY_ENC_FILE_EXT};
 use crate::spec::TinyEncryptEnvelopType;
+use crate::util::decode_base64;

 /// Config file sample:
 /// ~/.tinyencrypt/config-rs.json
@@ -71,17 +72,24 @@ pub struct TinyEncryptConfigEnvelop {
    #[serde(skip_serializing_if = "Option::is_none")]
    pub args: Option<Vec<String>>,
    pub public_part: String,
+    pub profiles: Option<Vec<String>>,
 }

 impl TinyEncryptConfig {
-    pub fn load_default() -> XResult<Self> {
-        let resolved_file0 = rust_util_env::env_var(ENV_TINY_ENC_CONFIG_FILE);
+    pub fn load_default(config: &Option<String>) -> XResult<Self> {
+        let resolved_file0 = config.clone().or_else(|| rust_util_env::env_var(ENV_TINY_ENC_CONFIG_FILE));
        let resolved_file_1 = resolve_file_path(TINY_ENC_CONFIG_FILE);
        let resolved_file_2 = resolve_file_path(TINY_ENC_CONFIG_FILE_2);
        let resolved_file_3 = resolve_file_path(TINY_ENC_CONFIG_FILE_3);
        if let Some(resolved_file) = resolved_file0 {
+            if resolved_file.starts_with("base64:") {
+                let decoded_resolved_bytes_result = decode_base64(&resolved_file.chars().skip(7).collect::<String>());
+                let decoded_resolved_bytes = opt_result!(decoded_resolved_bytes_result, "Decode base64 failed: {}");
+                let decoded_resolved_content = opt_result!(String::from_utf8(decoded_resolved_bytes), "Decode UTF-8 string failed: {}");
+                return Self::load_content(&decoded_resolved_content, "<env>");
+            }
            debugging!("Found tiny encrypt config file: {}", &resolved_file);
-            return Self::load(&resolved_file)
+            return Self::load_file(&resolved_file)
        }
        let config_file = if fs::metadata(&resolved_file_1).is_ok() {
            debugging!("Load config from: {resolved_file_1}");
@@ -96,42 +104,29 @@ impl TinyEncryptConfig {
            warning!("Cannot find config file from:\n- {resolved_file_1}\n- {resolved_file_2}\n- {resolved_file_3}");
            resolved_file_1
        };
-        Self::load(&config_file)
+        Self::load_file(&config_file)
    }

-    pub fn load(file: &str) -> XResult<Self> {
+    pub fn load_file(file: &str) -> XResult<Self> {
        let resolved_file = resolve_file_path(file);
-        let config_contents = opt_result!(
+        let config_content = opt_result!(
            fs::read_to_string(resolved_file),
            "Read config file: {}, failed: {}",
            file
        );
+        Self::load_content(&config_content, file)
+    }
+
+    pub fn load_content(config_content: &str, file: &str) -> XResult<Self> {
        let config: TinyEncryptConfig = opt_result!(
-            serde_json::from_str(&config_contents),
+            serde_json::from_str(&config_content),
            "Parse config file: {}, failed: {}",
            file
        );
        debugging!("Config: {:#?}", config);
-        let mut config = load_includes_and_merge(config);
+        let config = load_includes_and_merge(config);
        debugging!("Final config: {:#?}", config);

-        if let Some(profiles) = config.profiles {
-            let mut splited_profiles = HashMap::new();
-            for (k, v) in profiles.into_iter() {
-                if !k.contains(',') {
-                    splited_profiles.insert(k, v);
-                } else {
-                    k.split(',')
-                        .map(|k| k.trim())
-                        .filter(|k| !k.is_empty())
-                        .for_each(|k| {
-                            splited_profiles.insert(k.to_string(), v.clone());
-                        });
-                }
-            }
-            config.profiles = Some(splited_profiles);
-        }
-
        if let Some(environment) = &config.environment {
            for (k, v) in environment {
                let v = match v {
@@ -353,22 +348,44 @@ pub fn load_includes_and_merge(mut config: TinyEncryptConfig) -> TinyEncryptConf
                }
                config.envelops.push(sub_envelop.clone());
            }
-            // merge profiles
-            if let Some(sub_profiles) = &sub_config.profiles {
-                match &mut config.profiles {
-                    None => {
-                        config.profiles = Some(sub_profiles.clone());
-                    }
-                    Some(profiles) => {
-                        for (k, v) in sub_profiles {
-                            match profiles.get_mut(k) {
-                                None => {
-                                    profiles.insert(k.clone(), v.clone());
+
+            // deal with envelop profiles
+            let mut sub_profiles: HashMap<String, Vec<String>> = match &sub_config.profiles {
+                None => HashMap::new(),
+                Some(sub_profiles) => sub_profiles.clone(),
+            };
+            for envelop in &sub_config.envelops {
+                if let Some(profiles) = &envelop.profiles {
+                    let kid = envelop.kid.clone();
+                    for profile in profiles {
+                        match sub_profiles.get_mut(profile) {
+                            None => {
+                                sub_profiles.insert(profile.clone(), vec![kid.clone()]);
+                            }
+                            Some(kids) => {
+                                if !kids.contains(&kid) {
+                                    kids.push(kid.clone());
                                }
-                                Some(env_val) => {
-                                    for vv in v {
-                                        env_val.push(vv.clone());
-                                    }
+                            }
+                        }
+                    }
+                }
+            }
+
+            // merge profiles
+            match &mut config.profiles {
+                None => {
+                    config.profiles = Some(sub_profiles.clone());
+                }
+                Some(profiles) => {
+                    for (k, v) in &sub_profiles {
+                        match profiles.get_mut(k) {
+                            None => {
+                                profiles.insert(k.clone(), v.clone());
+                            }
+                            Some(env_val) => {
+                                for vv in v {
+                                    env_val.push(vv.clone());
                                }
                            }
                        }
--- a/src/consts.rs
+++ b/src/consts.rs
@@ -3,10 +3,14 @@ pub const ENC_AES256_GCM_P256: &str = "aes256-gcm-p256";
 pub const ENC_AES256_GCM_P384: &str = "aes256-gcm-p384";
 pub const ENC_AES256_GCM_X25519: &str = "aes256-gcm-x25519";
 pub const ENC_AES256_GCM_KYBER1204: &str = "aes256-gcm-kyber1204";
+pub const ENC_AES256_GCM_MLKEM768: &str = "aes256-gcm-mlkem768";
+pub const ENC_AES256_GCM_MLKEM1024: &str = "aes256-gcm-mlkem1024";
 pub const ENC_CHACHA20_POLY1305_P256: &str = "chacha20-poly1305-p256";
 pub const ENC_CHACHA20_POLY1305_P384: &str = "chacha20-poly1305-p384";
 pub const ENC_CHACHA20_POLY1305_X25519: &str = "chacha20-poly1305-x25519";
 pub const ENC_CHACHA20_POLY1305_KYBER1204: &str = "chacha20-poly1305-kyber1204";
+pub const ENC_CHACHA20_POLY1305_MLKEM768: &str = "chacha20-poly1305-mlkem768";
+pub const ENC_CHACHA20_POLY1305_MLKEM1024: &str = "chacha20-poly1305-mlkem1024";

 // Extend and config file
 pub const TINY_ENC_FILE_EXT: &str = ".tinyenc";
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -78,4 +78,5 @@ mod util_keychainkey;
 mod util_simple_pbe;
 mod util_log;
 mod temporary_key;
+mod util_mlkem;

--- a/src/main.rs
+++ b/src/main.rs
@@ -13,6 +13,11 @@ use tiny_encrypt::CmdInitKeychain;
 use tiny_encrypt::CmdInitPiv;
 use tiny_encrypt::{init_tiny_encrypt_log, CmdConfig, CmdDirectDecrypt, CmdEncrypt, CmdInfo, CmdSimpleDecrypt, CmdSimpleEncrypt, CmdVersion};

+use zeroizing_alloc::ZeroAlloc;
+
+#[global_allocator]
+static ALLOC: ZeroAlloc<std::alloc::System> = ZeroAlloc(std::alloc::System);
+
 #[derive(Debug, Parser)]
 #[command(name = "tiny-encrypt-rs")]
 #[command(about = "A tiny encrypt client in Rust", long_about = None)]
@@ -27,11 +32,11 @@ enum Commands {
    #[command(arg_required_else_help = true, short_flag = 'e')]
    Encrypt(CmdEncrypt),
    /// Simple encrypt message
-    #[command(arg_required_else_help = true)]
+    #[command(arg_required_else_help = true, short_flag = 'E')]
    SimpleEncrypt(CmdSimpleEncrypt),
    #[cfg(feature = "decrypt")]
    /// Simple decrypt message
-    #[command(arg_required_else_help = true)]
+    #[command(arg_required_else_help = true, short_flag = 'D')]
    SimpleDecrypt(CmdSimpleDecrypt),
    #[cfg(feature = "decrypt")]
    /// Decrypt file(s)
--- a/src/spec.rs
+++ b/src/spec.rs
@@ -86,6 +86,12 @@ pub enum TinyEncryptEnvelopType {
    // Secure Enclave ECDH P256
    #[serde(rename = "key-p256")]
    KeyP256,
+    // Secure Enclave ML-KEM 768
+    #[serde(rename = "key-mlkem768")]
+    KeyMlKem768,
+    // Secure Enclave ML-KEM 1024
+    #[serde(rename = "key-mlkem1024")]
+    KeyMlKem1024,
    // PIV ECDH P256
    #[serde(rename = "piv-p256", alias = "ecdh")]
    PivP256,
@@ -98,6 +104,12 @@ pub enum TinyEncryptEnvelopType {
    // External ECDH P384
    #[serde(rename = "ext-p384")]
    ExtP384,
+    // External ML-KEM 768
+    #[serde(rename = "ext-mlkem768")]
+    ExtMlKem768,
+    // External ML-KEM 1024
+    #[serde(rename = "ext-mlkem1024")]
+    ExtMlKem1024,
    // PIV RSA
    #[serde(rename = "piv-rsa")]
    PivRsa,
@@ -122,8 +134,12 @@ impl TinyEncryptEnvelopType {
            TinyEncryptEnvelopType::StaticX25519 => "static-x25519",
            TinyEncryptEnvelopType::StaticKyber1024 => "static-kyber1024",
            TinyEncryptEnvelopType::KeyP256 => "key-p256",
+            TinyEncryptEnvelopType::KeyMlKem768 => "key-mlkem768",
+            TinyEncryptEnvelopType::KeyMlKem1024 => "key-mlkem1024",
            TinyEncryptEnvelopType::ExtP256 => "ext-p256",
            TinyEncryptEnvelopType::ExtP384 => "ext-p384",
+            TinyEncryptEnvelopType::ExtMlKem768 => "ext-mlkem768",
+            TinyEncryptEnvelopType::ExtMlKem1024 => "ext-mlkem1024",
            TinyEncryptEnvelopType::PivP256 => "piv-p256",
            TinyEncryptEnvelopType::PivP384 => "piv-p384",
            TinyEncryptEnvelopType::PivRsa => "piv-rsa",
@@ -140,8 +156,12 @@ impl TinyEncryptEnvelopType {
            "static-x25519" => Some(TinyEncryptEnvelopType::StaticX25519),
            "static-kyber1024" => Some(TinyEncryptEnvelopType::StaticKyber1024),
            "key-p256" => Some(TinyEncryptEnvelopType::KeyP256),
+            "key-mlkem768" => Some(TinyEncryptEnvelopType::KeyMlKem768),
+            "key-mlkem1024" => Some(TinyEncryptEnvelopType::KeyMlKem1024),
            "ext-p256" => Some(TinyEncryptEnvelopType::ExtP256),
            "ext-p384" => Some(TinyEncryptEnvelopType::ExtP384),
+            "ext-mlkem768" => Some(TinyEncryptEnvelopType::ExtMlKem768),
+            "ext-mlkem1024" => Some(TinyEncryptEnvelopType::ExtMlKem1024),
            "piv-p256" => Some(TinyEncryptEnvelopType::PivP256),
            "piv-p384" => Some(TinyEncryptEnvelopType::PivP384),
            "piv-rsa" => Some(TinyEncryptEnvelopType::PivRsa),
@@ -156,12 +176,16 @@ impl TinyEncryptEnvelopType {
            TinyEncryptEnvelopType::StaticX25519
            | TinyEncryptEnvelopType::StaticKyber1024
            | TinyEncryptEnvelopType::KeyP256
+            | TinyEncryptEnvelopType::KeyMlKem768
+            | TinyEncryptEnvelopType::KeyMlKem1024
            | TinyEncryptEnvelopType::Gpg
            | TinyEncryptEnvelopType::Kms => true,
            TinyEncryptEnvelopType::PgpRsa
            | TinyEncryptEnvelopType::PgpX25519
            | TinyEncryptEnvelopType::ExtP256
            | TinyEncryptEnvelopType::ExtP384
+            | TinyEncryptEnvelopType::ExtMlKem768
+            | TinyEncryptEnvelopType::ExtMlKem1024
            | TinyEncryptEnvelopType::PivP256
            | TinyEncryptEnvelopType::PivP384
            | TinyEncryptEnvelopType::PivRsa
@@ -174,6 +198,8 @@ impl TinyEncryptEnvelopType {
            TinyEncryptEnvelopType::PgpRsa
            | TinyEncryptEnvelopType::PgpX25519
            | TinyEncryptEnvelopType::KeyP256
+            | TinyEncryptEnvelopType::KeyMlKem768
+            | TinyEncryptEnvelopType::KeyMlKem1024
            | TinyEncryptEnvelopType::PivP256
            | TinyEncryptEnvelopType::PivP384
            | TinyEncryptEnvelopType::PivRsa
@@ -184,7 +210,9 @@ impl TinyEncryptEnvelopType {
            // GPG is unknown(hardware/software)
            TinyEncryptEnvelopType::Gpg
            | TinyEncryptEnvelopType::ExtP256
-            | TinyEncryptEnvelopType::ExtP384 => None,
+            | TinyEncryptEnvelopType::ExtP384
+            | TinyEncryptEnvelopType::ExtMlKem768
+            | TinyEncryptEnvelopType::ExtMlKem1024 => None,
        }
    }
 }
--- a/src/temporary_key.rs
+++ b/src/temporary_key.rs
@@ -51,6 +51,7 @@ pub fn deserialize_config_envelop(k: &str) -> XResult<TinyEncryptConfigEnvelop>
        desc: None,
        args: None,
        public_part: decode(k_parts[4])?,
+        profiles: None,
    })
 }

--- a/src/util_ecdh.rs
+++ b/src/util_ecdh.rs
@@ -1,4 +1,5 @@
 pub mod ecdh_p256 {
+    use std::ops::Deref;
    use p256::{EncodedPoint, PublicKey};
    use p256::ecdh::EphemeralSecret;
    use p256::elliptic_curve::sec1::FromEncodedPoint;
@@ -15,11 +16,12 @@ pub mod ecdh_p256 {
        let epk = esk.public_key();
        let shared_secret = esk.diffie_hellman(&public_key);
        let epk_public_key_der = opt_result!(epk.to_public_key_der(), "Convert epk to SPKI failed: {}");
-        Ok((shared_secret.raw_secret_bytes().as_slice().to_vec(), epk_public_key_der.to_vec()))
+        Ok((shared_secret.raw_secret_bytes().deref().to_vec(), epk_public_key_der.to_vec()))
    }
 }

 pub mod ecdh_p384 {
+    use std::ops::Deref;
    use p384::{EncodedPoint, PublicKey};
    use p384::ecdh::EphemeralSecret;
    use p384::elliptic_curve::sec1::FromEncodedPoint;
@@ -36,7 +38,7 @@ pub mod ecdh_p384 {
        let epk = esk.public_key();
        let shared_secret = esk.diffie_hellman(&public_key);
        let epk_public_key_der = opt_result!(epk.to_public_key_der(), "Convert epk to SPKI failed: {}");
-        Ok((shared_secret.raw_secret_bytes().as_slice().to_vec(), epk_public_key_der.to_vec()))
+        Ok((shared_secret.raw_secret_bytes().deref().to_vec(), epk_public_key_der.to_vec()))
    }
 }

--- a/src/util_gpg.rs
+++ b/src/util_gpg.rs
@@ -68,7 +68,7 @@ pub fn gpg_encrypt(key_id: &str, message: &[u8]) -> XResult<String> {
    let stderr = String::from_utf8_lossy(&encrypt_output.stderr).to_string();
    if !encrypt_output.status.success() {
        return simple_error!(
-            "GPG encrypt failed: {:?}\n- stdout: {}\n- stderr: {}",
+            "GPG encrypt failed:\n- exit code: [{:?}]\n- stdout: [{}]\n- stderr: [{}]",
            encrypt_output.status.code(), stdout, stderr
        );
    }
@@ -94,7 +94,7 @@ pub fn gpg_decrypt(message: &str) -> XResult<Vec<u8>> {
    let stderr = String::from_utf8_lossy(&decrypt_output.stderr).to_string();
    if !decrypt_output.status.success() {
        return simple_error!(
-            "GPG decrypt failed: {:?}\n- stdout: {}\n- stderr: {}",
+            "GPG decrypt failed:\n- exit code: [{:?}]\n- stdout: [{}]\n- stderr: [{}]",
            decrypt_output.status.code(), stdout, stderr
        );
    }
--- a/src/util_keychainkey.rs
+++ b/src/util_keychainkey.rs
@@ -1,21 +1,36 @@
 use base64::engine::general_purpose::STANDARD;
 use base64::Engine;
 use rust_util::{simple_error, XResult};
-use swift_secure_enclave_tool_rs::{ControlFlag, KeyPurpose};
+use swift_secure_enclave_tool_rs::{ControlFlag, KeyMlKem, KeyPurpose};
+use crate::spec::TinyEncryptEnvelopType;

 pub fn is_support_se() -> bool {
    swift_secure_enclave_tool_rs::is_secure_enclave_supported().unwrap_or(false)
 }

 pub fn decrypt_data(
+    envelop_type: TinyEncryptEnvelopType,
    private_key_base64: &str,
    ephemeral_public_key_bytes: &[u8],
 ) -> XResult<Vec<u8>> {
    let private_key_representation = STANDARD.decode(private_key_base64)?;
-    let shared_secret = swift_secure_enclave_tool_rs::private_key_ecdh(
-        &private_key_representation,
-        ephemeral_public_key_bytes,
-    )?;
+    let shared_secret = match envelop_type {
+        TinyEncryptEnvelopType::KeyP256 => swift_secure_enclave_tool_rs::private_key_ecdh(
+            &private_key_representation,
+            ephemeral_public_key_bytes,
+        )?,
+        TinyEncryptEnvelopType::KeyMlKem768 => swift_secure_enclave_tool_rs::private_key_mlkem_ecdh(
+            KeyMlKem::MlKem768,
+            &private_key_representation,
+            ephemeral_public_key_bytes,
+        )?,
+        TinyEncryptEnvelopType::KeyMlKem1024 => swift_secure_enclave_tool_rs::private_key_mlkem_ecdh(
+            KeyMlKem::MlKem1024,
+            &private_key_representation,
+            ephemeral_public_key_bytes,
+        )?,
+        _ => return simple_error!("Invalid envelop type: {:?}", envelop_type),
+    };
    Ok(shared_secret)
 }

--- a/src/util_mlkem.rs
+++ b/src/util_mlkem.rs
@@ -0,0 +1,49 @@
+use ml_kem::kem::Encapsulate;
+use ml_kem::{Encoded, EncodedSizeUser, KemCore, MlKem1024, MlKem768};
+use rust_util::{opt_result, simple_error, XResult};
+
+#[derive(Clone, Copy, Debug)]
+pub enum MlKemAlgo {
+    MlKem768,
+    MlKem1024,
+}
+
+pub fn ml_kem_768_encapsulate(public_key: &[u8]) -> XResult<(Vec<u8>, Vec<u8>)> {
+    let encapsulation_key_encoded: Encoded<<MlKem768 as KemCore>::EncapsulationKey> = opt_result!(
+        public_key.try_into(),
+        "Parse ML-KEM 768 encapsulation key failed: {}"
+    );
+    let encapsulation_key =
+        <MlKem768 as KemCore>::EncapsulationKey::from_bytes(&encapsulation_key_encoded);
+    let mut rng = rand::rngs::OsRng;
+    let (ciphertext, shared_key) = opt_result!(
+        encapsulation_key.encapsulate(&mut rng),
+        "Encapsulate shared key failed: {:?}"
+    );
+    Ok((shared_key.0.to_vec(), ciphertext.0.to_vec()))
+}
+
+pub fn ml_kem_1024_encapsulate(public_key: &[u8]) -> XResult<(Vec<u8>, Vec<u8>)> {
+    let encapsulation_key_encoded: Encoded<<MlKem1024 as KemCore>::EncapsulationKey> = opt_result!(
+        public_key.try_into(),
+        "Parse ML-KEM 1024 encapsulation key failed: {}"
+    );
+    let encapsulation_key =
+        <MlKem1024 as KemCore>::EncapsulationKey::from_bytes(&encapsulation_key_encoded);
+    let mut rng = rand::rngs::OsRng;
+    let (ciphertext, shared_key) = opt_result!(
+        encapsulation_key.encapsulate(&mut rng),
+        "Encapsulate shared key failed: {:?}"
+    );
+    Ok((shared_key.0.to_vec(), ciphertext.0.to_vec()))
+}
+
+pub fn try_ml_kem_encapsulate(public_key: &[u8]) -> XResult<(Vec<u8>, Vec<u8>, MlKemAlgo)> {
+    if let Ok((shared_key, ciphertext)) = ml_kem_768_encapsulate(public_key) {
+        return Ok((shared_key, ciphertext, MlKemAlgo::MlKem768));
+    }
+    if let Ok((shared_key, ciphertext)) = ml_kem_1024_encapsulate(public_key) {
+        return Ok((shared_key, ciphertext, MlKemAlgo::MlKem1024));
+    }
+    simple_error!("Only supports ML-KEM 768 or ML-KEM 1024.")
+}
--- a/src/util_simple_pbe.rs
+++ b/src/util_simple_pbe.rs
@@ -24,10 +24,10 @@ impl SimplePbkdfEncryptionV1 {
        enc.starts_with(&format!("{SIMPLE_PBKDF_ENCRYPTION_PREFIX}."))
    }

-    pub fn encrypt(password: &str, plaintext: &[u8]) -> XResult<SimplePbkdfEncryptionV1> {
+    pub fn encrypt(password: &str, plaintext: &[u8], iterations: &Option<u32>) -> XResult<SimplePbkdfEncryptionV1> {
        let salt: [u8; 12] = random();
        let repetition = 1000;
-        let iterations = 10000;
+        let iterations = iterations.unwrap_or(10000);
        let key = simple_pbkdf(password.as_bytes(), &salt, repetition, iterations);

        let key_bytes: [u8; 32] = opt_result!(key.try_into(), "Bad AES 256 key: {:?}");
@@ -166,7 +166,7 @@ fn simple_pbkdf(password: &[u8], salt: &[u8], repetition: u32, iterations: u32)

 #[test]
 fn test() {
-    let enc = SimplePbkdfEncryptionV1::encrypt("helloworld", "test".as_bytes()).unwrap();
+    let enc = SimplePbkdfEncryptionV1::encrypt("helloworld", "test".as_bytes(), &None).unwrap();
    let enc_str = enc.to_string();
    let enc2: SimplePbkdfEncryptionV1 = enc_str.try_into().unwrap();
    assert_eq!(enc.to_string(), enc2.to_string());
Author	SHA1	Message	Date
Hatter Jiang	0604745f82	feat: v1.9.20, simple-encrypt/simple-decrypt support iterations	2026-01-01 21:16:10 +08:00
Hatter Jiang	1f4db9d1b0	feat: update gpg	2025-12-28 20:45:45 +08:00
Hatter Jiang	cdec79e4dc	feat: v1.9.18	2025-12-28 20:18:39 +08:00
Hatter Jiang	3812001474	feat: updates	2025-10-18 14:45:50 +08:00
Hatter Jiang	3708781390	feat: v1.9.18	2025-10-18 14:32:06 +08:00
Hatter Jiang	a6397fc45a	feat: v1.9.17	2025-10-17 19:20:41 +08:00
Hatter Jiang	0e6b590f32	feat: udpate README	2025-10-16 07:08:14 +08:00
Hatter Jiang	b0ee1f2c59	feat: v1.9.16	2025-10-14 23:38:22 +08:00
Hatter Jiang	c176021c81	feat: v1.9.15, Secure Enclave ML-KEM-768, ML-KEM-1024 encrypt/decrypt	2025-09-27 20:51:56 +08:00
Hatter Jiang	d75c589b66	feat: add keymlkem	2025-09-26 23:44:31 +08:00
Hatter Jiang	0c4663f7f0	feat: updates	2025-09-26 23:28:41 +08:00
Hatter Jiang	c446a52462	feat: encrypt ML-KEM-768&1024	2025-09-26 23:25:53 +08:00
Hatter Jiang	9b0ecef9a0	feat: pending ML-KEM encryption and decryption	2025-09-26 01:13:37 +08:00
Hatter Jiang	783b3e1962	feat: pending ML-KEM encryption and decryption	2025-09-26 01:13:24 +08:00