diff --git a/sign/encrypt.go b/sign/encrypt.go
index 5cb16e3..1ec2b5d 100644
--- a/sign/encrypt.go
+++ b/sign/encrypt.go
@@ -65,6 +65,7 @@ import (
 	"golang.org/x/crypto/curve25519"
 	"golang.org/x/crypto/hkdf"
 	"io"
+	"os"
 
 	"github.com/opencoff/sigtool/internal/pb"
 )
@@ -242,6 +243,9 @@ func (e *Encryptor) start(wr io.Writer) error {
 	h.Write(sumHdr)
 	key := h.Sum(nil)
 
+	debug("encrypt:\n\thdr-cksum: %x\n\tsalt: %x\n\tkey: %x\n\taes-key: %x\n",
+		sumHdr, e.Salt, e.key, key)
+
 	aes, err := aes.NewCipher(key)
 	if err != nil {
 		return fmt.Errorf("encrypt: %w", err)
@@ -422,6 +426,9 @@ havekey:
 	h.Write(d.hdrsum)
 	key = h.Sum(nil)
 
+	debug("decrypt:\n\thdr-cksum: %x\n\tsalt: %x\n\tkey: %x\n\taes-key: %x\n",
+		d.hdrsum, d.Salt, d.key, key)
+
 	aes, err := aes.NewCipher(key)
 	if err != nil {
 		return fmt.Errorf("decrypt: %w", err)
@@ -736,4 +743,25 @@ func sha256Slices(v ...[]byte) []byte {
 	return h.Sum(nil)[:]
 }
 
+var _debug int = 0
+
+// Enable debugging of this module;
+// level > 0 elicits debug messages on os.Stderr
+func Debug(level int) {
+	_debug = level
+}
+
+func debug(s string, v ...interface{}) {
+	if _debug <= 0 {
+		return
+	}
+
+	z := fmt.Sprintf(s, v...)
+	if n := len(z); z[n-1] != '\n' {
+		z += "\n"
+	}
+	os.Stderr.WriteString(z)
+	os.Stderr.Sync()
+}
+
 // EOF
diff --git a/sigtool.go b/sigtool.go
index 697d69b..ef7b7f5 100644
--- a/sigtool.go
+++ b/sigtool.go
@@ -30,12 +30,13 @@ var Z string = path.Base(os.Args[0])
 
 func main() {
 
-	var ver, help bool
+	var ver, help, debug bool
 
 	mf := flag.NewFlagSet(Z, flag.ExitOnError)
 	mf.SetInterspersed(false)
 	mf.BoolVarP(&ver, "version", "v", false, "Show version info and exit")
 	mf.BoolVarP(&help, "help", "h", false, "Show help info exit")
+	mf.BoolVarP(&debug, "debug", "", false, "Enable debug mode")
 	mf.Parse(os.Args[1:])
 
 	if ver {
@@ -80,8 +81,12 @@ func main() {
 		Die("can't map command %s", canon)
 	}
 
+	if debug {
+		sign.Debug(1)
+	}
+
 	cmd(args[1:])
-	
+
 	// always call Exit so that at-exit handlers are called.
 	Exit(0)
 }
@@ -323,7 +328,8 @@ Usage: %s [global-options] command [options] arg [args..]
 
 Global options:
   -h, --help       Show help and exit
-  -v, --version    Show version info and exit.
+  -v, --version    Show version info and exit
+  --debug	   Enable debug (DANGEROUS)
 
 Commands:
   generate, g      Generate a new Ed25519 keypair