@maraino @z8674558 I've reviewed and generally everything looks good to me. I committed some grammar / documentation changes on top.

The only additional question / comment I have is whether we should use --decrypt-password-file and --encrypt-password-file? Otherwise I can see it being confusing whether --password-file is the flag to decrypt the old file or to encrypt the new p12 or key file. For example, you may want password-file to decrypt the input and --no-password to leave the output unencrypted - currently this would throw an error.

Maybe our answer to the above is that we always use the same encryption on the output as was used on the input, but then there's no need for --no-password and --insecure.