diff --git a/cmdline/src/main/java/io/opentdf/platform/Command.java b/cmdline/src/main/java/io/opentdf/platform/Command.java
index 246c19dc..a739c600 100644
--- a/cmdline/src/main/java/io/opentdf/platform/Command.java
+++ b/cmdline/src/main/java/io/opentdf/platform/Command.java
@@ -6,6 +6,7 @@
 import io.opentdf.platform.sdk.AssertionConfig;
 import io.opentdf.platform.sdk.AutoConfigureException;
 import io.opentdf.platform.sdk.Config;
+import io.opentdf.platform.sdk.KeyType;
 import io.opentdf.platform.sdk.Config.AssertionVerificationKeys;
 import io.opentdf.platform.sdk.NanoTDF;
 import io.opentdf.platform.sdk.SDK;
@@ -145,6 +146,8 @@ void encrypt(
             @Option(names = { "-a", "--attr" }, defaultValue = Option.NULL_VALUE) Optional<String> attributes,
             @Option(names = { "-c",
                     "--autoconfigure" }, defaultValue = Option.NULL_VALUE) Optional<Boolean> autoconfigure,
+            @Option(names = {
+                    "--encap-key-type" }, defaultValue = Option.NULL_VALUE, description = "Preferred key access key wrap algorithm, one of ${COMPLETION-CANDIDATES}") Optional<KeyType> encapKeyType,
             @Option(names = { "--mime-type" }, defaultValue = Option.NULL_VALUE) Optional<String> mimeType,
             @Option(names = { "--with-assertions" }, defaultValue = Option.NULL_VALUE) Optional<String> assertion)
 
@@ -161,6 +164,7 @@ void encrypt(
         configs.add(Config.withKasInformation(kasInfos));
         metadata.map(Config::withMetaData).ifPresent(configs::add);
         autoconfigure.map(Config::withAutoconfigure).ifPresent(configs::add);
+        encapKeyType.map(Config::WithWrappingKeyAlg).ifPresent(configs::add);
         mimeType.map(Config::withMimeType).ifPresent(configs::add);
 
         if (assertion.isPresent()) {
@@ -226,6 +230,7 @@ private SDK buildSDK() {
 
     @CommandLine.Command(name = "decrypt")
     void decrypt(@Option(names = { "-f", "--file" }, required = true) Path tdfPath,
+            @Option(names = { "--rewrap-key-type" }, defaultValue = Option.NULL_VALUE, description = "Preferred rewrap algorithm, one of ${COMPLETION-CANDIDATES}") Optional<KeyType> rewrapKeyType,
             @Option(names = { "--with-assertion-verification-disabled" }, defaultValue = "false") boolean disableAssertionVerification,
             @Option(names = { "--with-assertion-verification-keys" }, defaultValue = Option.NULL_VALUE) Optional<String> assertionVerification)
              throws IOException, TDF.FailedToCreateGMAC, JOSEException, ParseException, NoSuchAlgorithmException, DecoderException {
@@ -266,6 +271,7 @@ void decrypt(@Option(names = { "-f", "--file" }, required = true) Path tdfPath,
                 if (disableAssertionVerification) {
                     opts.add(Config.withDisableAssertionVerification(true));
                 }
+                rewrapKeyType.map(Config::WithSessionKeyType).ifPresent(opts::add);
 
                 var readerConfig = Config.newTDFReaderConfig(opts.toArray(new Consumer[0]));
                 var reader = new TDF().loadTDF(in, sdk.getServices().kas(), readerConfig);