CLI Reference¶
Complete reference for every blazehash flag and subcommand. Flags are organized by category.
Positional arguments¶
paths¶
Files or directories to hash.
When no paths are given, blazehash reads from the current directory (or stdin with --stdin).
Global flags¶
-c, --compute¶
Hash algorithms, comma-separated. Default: blake3.
Available algorithms:
| Algorithm | Type | Notes |
|---|---|---|
blake3 |
Cryptographic | Default |
blake2b |
Cryptographic | 512-bit output |
blake2s |
Cryptographic | 256-bit output |
sha256 |
Cryptographic | |
sha512 |
Cryptographic | |
sha512-256 |
Cryptographic | SHA-512 truncated to 256 bits |
sha512-224 |
Cryptographic | SHA-512 truncated to 224 bits |
sha3-256 |
Cryptographic | |
sha1 |
Cryptographic | |
md5 |
Cryptographic | |
tiger |
Cryptographic | |
whirlpool |
Cryptographic | |
sm3 |
Cryptographic | Chinese national standard (GB/T 32905) |
streebog-256 |
Cryptographic | GOST R 34.11-2012, 256-bit |
streebog-512 |
Cryptographic | GOST R 34.11-2012, 512-bit |
ripemd160 |
Cryptographic | |
k12 |
Cryptographic | KangarooTwelve (parallel SHA-3 variant) |
shake128 |
Cryptographic | Extendable output |
shake256 |
Cryptographic | Extendable output |
crc32c |
Non-cryptographic | |
crc64 |
Non-cryptographic | |
adler32 |
Non-cryptographic | |
xxh3 |
Non-cryptographic | |
ssdeep |
Fuzzy | |
tlsh |
Fuzzy |
-r, --recursive¶
Recurse into directories.
-o, --output¶
Write output to a file instead of stdout. Accepts local paths and remote storage URIs (requires --features remote, on by default).
# Local file
blazehash -r /mnt/evidence -o manifest.hash
# AWS S3
blazehash -r /mnt/evidence -o s3://dfir-bucket/case-001.hash
# Google Cloud Storage
blazehash -r /mnt/evidence -o gcs://dfir-bucket/case-001.hash
# Azure Blob Storage
blazehash -r /mnt/evidence -o azblob://dfir-container/case-001.hash
# WebDAV (Nextcloud, Box, SharePoint)
blazehash -r /mnt/evidence -o webdav://files.example.com/dfir/case-001.hash
# HTTP/S PUT endpoint
blazehash -r /mnt/evidence -o https://ingest.example.com/upload/case-001.hash
-b, --bare¶
Bare output — no header comments, no metadata lines. Just the hash entries.
-s, --size-only¶
List files with sizes only. No hashing. Useful for a quick inventory before committing to a full hash run.
--format¶
Output format. Default: hashdeep.
| Format | Description | Feature |
|---|---|---|
hashdeep |
hashdeep-compatible manifest (HASHDEEP-1.0 or BLAZEHASH-1.0 header) | default |
dfxml |
Digital Forensics XML — Autopsy/Sleuth Kit compatible | default |
sha256sum |
Compatible with sha256sum(1) and md5sum(1) |
default |
csv |
Comma-separated values | default |
json |
JSON array | default |
jsonl |
Newline-delimited JSON (one object per line) | default |
ecs |
NDJSON in Elastic Common Schema (ECS) format | default |
stix |
STIX 2.1 bundle (JSON) | default |
sqlite |
SQLite database | sqlite (default-on) |
parquet |
Apache Parquet columnar file | parquet-output (default-on) |
duckdb |
DuckDB database file | duckdb-output (default-on) |
--sign¶
Sign the manifest after writing. Requires --output. You will be prompted for a password, or set BLAZEHASH_SIGN_PASSWORD.
--stdin¶
Hash data from stdin instead of files.
Filtering flags¶
--min-size¶
Only hash files larger than this size. Accepts suffixes: K, M, G.
--max-size¶
Only hash files smaller than this size.
--newer¶
Only hash files modified after a date. Format: YYYY-MM-DD.
--include¶
Include only files matching a glob pattern. Repeatable.
Supports ** for recursive matching.
--exclude¶
Exclude files matching a glob pattern. Repeatable. Overrides --include.
Audit flags¶
-a, --audit¶
Enable audit mode. Re-hashes files and compares against a known manifest.
Exit code 0 = all files match. Exit code 1 = mismatches found.
-k, --known¶
Path to known hash manifest(s) for audit mode. Repeatable.
When omitted in audit mode, blazehash looks for *.hash files in the current directory.
--fuzzy-threshold¶
Minimum similarity percentage (0-100) to report a fuzzy match. Default: 50.
--fuzzy-top¶
Show the top N fuzzy matches per file. Default: 5.
--expected-pubkey¶
Expected public key hex for signature verification. Used with verify-sig or audit auto-verification.
When provided during audit, blazehash checks the manifest signature before comparing hashes. Invalid signature aborts the audit.
--ignore-sig¶
Skip automatic signature verification during audit, even when a .sig file exists.
--fail-on-unknown¶
Exit non-zero if any file on disk has no corresponding entry in the manifest (unknown files). Unknown files are logged with a [?] prefix; if any are found the process exits with code 1.
Useful in sealed-environment audits where every file must be accounted for in the known manifest.
Subcommands¶
Acquisition¶
watch¶
Live monitoring: continuously hash a path and alert on changes against a baseline manifest.
archive¶
Hash all files inside a ZIP or TAR archive without extracting. Requires --features archive (default-on).
image¶
Hash the layers of an OCI/Docker container image. Requires --features docker.
Google Drive hashing¶
Hash a Google Drive file without downloading it to disk. Pass a gdrive:// URI or a full Drive share URL directly as the path argument.
Output:
Auth: uses a cached OAuth token from ~/.config/blazehash/gdrive_token.json if present, otherwise falls back to a public (unauthenticated) download. Run blazehash gdrive auth login once to authenticate.
gdrive auth login¶
Open a browser OAuth consent flow and cache the resulting Google token.
gdrive auth status¶
Check whether a valid cached token exists.
Chain of Custody & Signing¶
sign¶
Sign a manifest file with a password-derived Ed25519 key.
Set BLAZEHASH_SIGN_PASSWORD to skip the interactive prompt:
The password is fed through Argon2id with a fixed application salt to produce a deterministic Ed25519 key. Same password = same key on any machine.
verify-sig¶
Verify a manifest signature against an expected public key.
Exit code 0 = valid. Exit code 1 = tampered or wrong key.
cosign¶
Add a co-signature to a manifest. Each examiner runs this with their own password; N-of-M signatures are required before verify-msig passes.
verify-msig¶
Verify that a manifest has reached the required N-of-M cosignature threshold.
pq-sign¶
Sign a manifest with a CRYSTALS-Dilithium (ML-DSA) post-quantum key. Requires --features pq (default-on).
pq-verify-sig¶
Verify a post-quantum ML-DSA signature. Requires --features pq (default-on).
ots stamp¶
Anchor a manifest to the Bitcoin blockchain via OpenTimestamps. Creates manifest.hash.ots. Requires --features ots.
ots verify¶
Verify a previously created OpenTimestamps proof. Requires --features ots.
stamp¶
Add or update the ## timestamp: header in a manifest to the current UTC time.
report¶
Generate an HTML chain-of-custody report from a manifest. Requires --features report.
qr¶
Generate a QR code image from a manifest's root hash. Requires --features qr.
Tamper Evidence & Selective Disclosure¶
How it works — see Tamper Evidence mechanics in Concepts for a full explanation of Merkle tree construction, inclusion proofs, and the security properties of each subcommand.
seal¶
Seal a manifest with a single tamper-evident root hash. Any change to any entry changes the root — you can publish just the root hash to prove the full set was sealed at a specific point in time.
file-proof¶
Prove that a specific file was part of a sealed manifest without revealing any other entries. Share only the proof and root hash — the other files stay private.
verify-proof¶
Confirm that a file was present when the manifest was sealed. Verifies offline against the root hash — no access to the original manifest required.
disclose¶
Produce a redacted copy that reveals only the files you choose while proving they belong to the original sealed manifest. Useful when you need to share partial evidence without exposing the full case file.
check-file¶
Assert that a specific file exists in a manifest — exits 0 if present, 1 if not. Useful in automated pipelines that need to verify a file was captured.
Integrity & Threat Intel¶
verify¶
Re-hash every file listed in a manifest and report mismatches (alias for audit mode without requiring -a).
vt¶
Batch VirusTotal lookup for all hashes in a manifest. Requires a VT API key via --api-key or VT_API_KEY.
selfcheck¶
Verify the integrity of the blazehash binary itself.
Manifest Analysis¶
diff¶
Compare two manifests and report changes. Output uses [+], [-], [!], [*] prefixes. Exit code 0 = identical, 1 = differences.
sym-diff¶
Find files that changed between two evidence snapshots — entries that appear in one manifest but not the other. Useful for pinpointing what was added or removed between two collection points.
info¶
Print manifest header metadata: version, algorithm list, case ID, examiner, timestamp.
stats¶
Print per-algorithm statistics: entry count, total size, unique hash count.
count¶
Print the number of entries in a manifest.
timeline¶
Generate a chronological timeline of file activity from a manifest.
tally¶
Count entries grouped by extension, directory, or algorithm.
missing¶
List files in the manifest that do not exist on disk.
Manifest Filtering & Selection¶
search¶
Search entries by path substring or exact hash value.
blazehash search manifest.hash --search-path "suspicious"
blazehash search manifest.hash --search-hash "a3f8e2c1..."
grep¶
Filter entries whose path matches a regular expression.
filter¶
Keep only entries computed with a specific algorithm.
head / tail¶
Print the first or last N entries.
slice¶
Extract a range of entries by offset and count.
sample¶
Select N random entries.
contains¶
Exit 0 if a path or hash exists in the manifest, exit 1 otherwise. Useful in shell scripts.
intersect¶
Keep only entries whose path appears in both manifests (set intersection).
subtract¶
Remove entries from manifest A whose path appears in manifest B (set difference).
exclude¶
Remove entries matching a path pattern.
path-only¶
Print only the file paths (strips hashes and metadata).
hash-only¶
Print only the hash values (strips paths and metadata).
Manifest Transformation¶
merge¶
Combine two or more manifests into one. Last-write-wins on duplicate paths.
update¶
Incrementally rehash only changed or new files against an existing manifest.
cat¶
Concatenate two or more manifests. Like merge but preserves duplicate path entries.
sort¶
Sort entries by path, size, or hash.
blazehash sort manifest.hash --sort-by path -o sorted.hash
blazehash sort manifest.hash --sort-by size -o sorted.hash
split¶
Split a manifest into N parts by entry count.
balance¶
Split a manifest into N parts of roughly equal total file size — useful when distributing hashing work across multiple machines or verifiers.
interleave¶
Combine two manifests by alternating their entries (A, B, A, B, …). Useful for interlacing two partial collections into a single ordered pass before hashing or processing.
reverse¶
Reverse the entry order of a manifest.
shuffle¶
Randomly reorder entries. Use --seed for reproducible output.
normalize¶
Normalize a manifest: remove blank lines, fix spacing, sort entries, deduplicate.
repair¶
Minimal formatting fix: strip blank lines, normalize separators, drop malformed lines. Less aggressive than normalize.
rename¶
Rewrite path prefixes across all manifest entries.
tag¶
Add or update header metadata fields in a manifest.
blazehash tag manifest.hash --set case_id="CASE-2026-002"
blazehash tag manifest.hash --unset examiner
annotate¶
Add or replace a ## note: header in a manifest.
pivot¶
Produce a copy of a manifest keyed by a different algorithm — useful when you need to cross-reference a BLAKE3 manifest against a legacy SHA-256 database or hand it to a tool that only understands one algorithm.
apply-patch¶
Apply a unified diff patch to a manifest.
Deduplication¶
dedup¶
Find duplicate files in a directory or manifest. Exit code 0 = no duplicates, 1 = duplicates found.
blazehash dedup /mnt/evidence
blazehash dedup manifest.hash
blazehash dedup /mnt/evidence --dedup-unique # one representative per group
blazehash dedup /mnt/evidence --dedup-dupes # only the redundant copies
duplicates¶
Emit all manifest entries whose hash appears more than once.
unique-hash¶
Keep only the first entry per unique hash — complement to duplicates.
uniq¶
Deduplicate entries by path — keep the last occurrence of each path.
first¶
Keep the first occurrence of each path — complement to uniq.
Format Conversion & Import/Export¶
convert¶
Import a foreign manifest format (md5sum, sha256sum, hashdeep, SFV) and convert to blazehash format.
export¶
Export a manifest to CSV, JSONL, or TSV.
blazehash export manifest.hash --export-format csv -o hashes.csv
blazehash export manifest.hash --export-format jsonl -o hashes.jsonl
checksum¶
Convert a DFXML manifest to a sha256sum-compatible flat file.
lint¶
Validate a manifest for formatting errors, duplicate paths, or missing fields.
redact¶
Remove selected entries from a manifest (privacy redaction / selective disclosure).
Utilities¶
nsrl build-bloom¶
Build a bloom filter from an NSRL SQLite database for faster lookups.
bench¶
Run benchmarks and GPU calibration.
blazehash bench --gpu # measure GPU vs CPU crossover, write config
blazehash bench --gpu --no-calibrate # use conservative defaults, no config write
tui¶
Launch the interactive terminal dashboard. Requires --features tui.
mcp¶
Start the MCP (Model Context Protocol) server for AI-assisted forensic hashing. See MCP Server for details.
completions¶
Generate shell completion scripts or a man page. Output goes to stdout.
blazehash completions bash > /etc/bash_completion.d/blazehash
blazehash completions zsh > ~/.zsh/completions/_blazehash
blazehash completions fish > ~/.config/fish/completions/blazehash.fish
blazehash completions powershell >> $PROFILE
blazehash completions man > blazehash.1 && man ./blazehash.1
Remote storage¶
blazehash accepts remote URIs for both input paths and -o output — 50+ protocols supported.
Full protocol reference: Remote Storage →
Common examples:
# Hash an S3 prefix
blazehash s3://dfir-bucket/case-001/
# Write manifest to S3
blazehash -r /mnt/evidence -o s3://dfir-bucket/case-001.hash
# Audit against a remote manifest
blazehash -r /mnt/evidence -a -k s3://dfir-bucket/case-001.hash
# Hash a Google Drive file
blazehash gdrive://1ABCdef...
# Hash over SFTP
blazehash sftp://admin@192.168.1.10/evidence/disk.dd
Supported schemes include: s3, gcs, azblob, azdls, azfile, b2, cos, obs, oss,
swift, upyun, gdrive, onedrive, dropbox, aliyun-drive, yandex-disk, pcloud,
koofr, seafile, github, huggingface, vercel-blob, alluxio, hdfs, webhdfs, lakefs,
ipfs, ipmfs, redis, rediss, memcached, etcd, tikv, mongodb, mysql, postgresql,
sqlite, rocksdb (opt-in), cloudflare-kv, d1, sftp, ftp, ftps, webdav, http,
https, compfs, monoiofs (Linux), file, mem.
NSRL flags¶
--nsrl¶
Path to an NSRL database (.db SQLite) or bloom filter (.bloom) file. Annotates known-good files with [K] in output.
--nsrl-hsh¶
Path to a NIST NSRL flat .hsh hashset file (alternative to the SQLite --nsrl database).
--nsrl-exclude¶
Suppress known-good files from output entirely. Requires --nsrl.
Warning
When using --nsrl-exclude with a bloom filter, a small number of files may be suppressed due to false positives (~0.1%). Use the SQLite database for exclusion in production environments.
Advanced flags¶
--entropy¶
Compute and display the Shannon entropy of each file alongside its hash. Values range 0.0–8.0; scores above 7.2 suggest encrypted, compressed, or packed content.
--yara¶
Run YARA rule matching during the directory walk. Requires --features yara.
--yara-max-size¶
Maximum file size (in MiB) for YARA scanning. Default: 256. Files larger than this threshold are still hashed but the YARA scan is skipped and a warning is written to stderr.
--no-cache¶
Bypass the OS page cache. Reads directly from disk using platform-specific direct I/O (F_NOCACHE on macOS, O_DIRECT on Linux, FILE_FLAG_NO_BUFFERING on Windows).
Use this when hashing a live system without disturbing in-memory evidence.
--no-gpu¶
Force CPU-only hashing, even when a GPU is available.
--ads¶
Hash NTFS Alternate Data Streams alongside main file content. Windows only; no-op on other platforms.
--resume¶
Resume from a partial manifest. Reads the existing output file, skips already-hashed files, and continues where it left off.
-p, --piecewise¶
Piecewise (chunk) hashing. Each file produces one hash entry per chunk. Accepts size suffixes: K, M, G.
--verify-image¶
Verify a forensic disk image. Supports E01/EWF (EnCase) images and raw/DD images with sidecar hash files.
For E01 images, blazehash verifies the stored hashes against recomputed values. Multi-segment images (.E01, .E02, ...) are detected automatically.
For raw images, blazehash looks for sidecar files (.md5, .sha256, .sha512, .blake3) alongside the image.