diff --git a/cmd/ctr/commands/images/crypt_utils.go b/cmd/ctr/commands/images/crypt_utils.go
index 83946cdaf..e22cd0da6 100644
--- a/cmd/ctr/commands/images/crypt_utils.go
+++ b/cmd/ctr/commands/images/crypt_utils.go
@@ -90,17 +90,40 @@ func processRecipientKeys(recipients []string) ([][]byte, [][]byte, [][]byte, er
 		x509s         [][]byte
 	)
 	for _, recipient := range recipients {
-		tmp, err := ioutil.ReadFile(recipient)
-		if err != nil {
-			gpgRecipients = append(gpgRecipients, []byte(recipient))
-			continue
+
+		idx := strings.Index(recipient, ":")
+		if idx < 0 {
+			return nil, nil, nil, errors.New("Invalid recipient format")
 		}
-		if encutils.IsCertificate(tmp) {
-			x509s = append(x509s, tmp)
-		} else if encutils.IsPublicKey(tmp) {
+
+		protocol := recipient[:idx]
+		value := recipient[idx+1:]
+
+		switch protocol {
+		case "pgp":
+			gpgRecipients = append(gpgRecipients, []byte(value))
+		case "jwe":
+			tmp, err := ioutil.ReadFile(value)
+			if err != nil {
+				return nil, nil, nil, errors.Wrap(err, "Unable to read file")
+			}
+			if !encutils.IsPublicKey(tmp) {
+				return nil, nil, nil, errors.New("File provided is not a public key")
+			}
 			pubkeys = append(pubkeys, tmp)
-		} else {
-			gpgRecipients = append(gpgRecipients, []byte(recipient))
+
+		case "pkcs7":
+			tmp, err := ioutil.ReadFile(value)
+			if err != nil {
+				return nil, nil, nil, errors.Wrap(err, "Unable to read file")
+			}
+			if !encutils.IsCertificate(tmp) {
+				return nil, nil, nil, errors.New("File provided is not an x509 cert")
+			}
+			x509s = append(x509s, tmp)
+
+		default:
+			return nil, nil, nil, errors.New("Provided protocol not recognized")
 		}
 	}
 	return gpgRecipients, pubkeys, x509s, nil
diff --git a/cmd/ctr/commands/images/encrypt.go b/cmd/ctr/commands/images/encrypt.go
index eadc64839..f15e93744 100644
--- a/cmd/ctr/commands/images/encrypt.go
+++ b/cmd/ctr/commands/images/encrypt.go
@@ -41,10 +41,15 @@ var encryptCommand = cli.Command{
 	This tool also allows management of the recipients of the image through changes
 	to the list of recipients.
 	Once the image has been encrypted it may be pushed to a registry.
+
+    Recipients are declared with the protocol prefix as follows:
+    - pgp:<email-address>
+    - jwe:<public-key-file-path>
+    - pkcs7:<x509-file-path>
 `,
 	Flags: append(append(commands.RegistryFlags, cli.StringSliceFlag{
 		Name:  "recipient",
-		Usage: "Recipient of the image is the person who can decrypt it",
+		Usage: "Recipient of the image is the person who can decrypt it in the form specified above (i.e. jwe:/path/to/key)",
 	}, cli.IntSliceFlag{
 		Name:  "layer",
 		Usage: "The layer to encrypt; this must be either the layer number or a negative number starting with -1 for topmost layer",
diff --git a/docs/encryption.md b/docs/encryption.md
index 64731d798..08cd95ef0 100644
--- a/docs/encryption.md
+++ b/docs/encryption.md
@@ -25,8 +25,8 @@ The option `--layer -1` specifies the layer filter for encryption, -1 indicating
 
 ```
 $ ctr images encrypt \
-    --recipient /tmp/tmp.AGrSDkaSad/mypubkey.pem \
-    --recipient /tmp/tmp.AGrSDkaSad/clientcert.pem \
+    --recipient jwe:/tmp/tmp.AGrSDkaSad/mypubkey.pem \
+    --recipient pkcs7:/tmp/tmp.AGrSDkaSad/clientcert.pem \
     --layer -1 \
     docker.io/library/alpine:latest docker.io/library/alpine:enc