SQ(1) | User Commands | SQ(1) |
NAME
sq key generate - Generate a new key
SYNOPSIS
sq key generate [OPTIONS]
DESCRIPTION
Generate a new key.
Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users.
When generating a key, we also generate an emergency revocation certificate. This can be used in case the key is lost or compromised. It is saved alongside the key. This can be changed using the `--rev-cert` argument.
By default a key expires after 3 years. This can be changed using the `--expiration` argument.
`sq key generate` respects the reference time set by the top-level `--time` argument. It sets the creation time of the primary key, any subkeys, and the binding signatures to the reference time.
OPTIONS
Subcommand options
- --allow-non-canonical-userids
- Don't reject user IDs that are not in canonical form.
- Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.
- -c, --cipher-suite=CIPHER-SUITE
- Select the cryptographic algorithms for the key
- [default: cv25519]
- [possible values: rsa3k, rsa4k, cv25519]
- --can-authenticate
- Add an authentication-capable subkey (default)
- --can-encrypt=PURPOSE
- Add an encryption-capable subkey.
- Encryption-capable subkeys can be marked as suitable for transport encryption, storage encryption, or both, i.e., universal. [default: universal]
- [possible values: transport, storage, universal]
- --can-sign
- Add a signing-capable subkey (default)
- --cannot-authenticate
- Don't add an authentication-capable subkey
- --cannot-encrypt
- Don't add an encryption-capable subkey
- --cannot-sign
- Don't add a signing-capable subkey
- --expiration=EXPIRATION
- Sets the certificate's expiration time.
- EXPIRATION is either an ISO 8601 formatted string or a custom duration, which takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and seconds, respectively. Alternatively, the keyword `never` does not set an expiration time.
- When using an ISO 8601 formatted string, the validity period is from the certificate's creation time to the specified time. When using a duration, the validity period is from the certificate's creation time for the specified duration.
- [default: 3y]
- --no-userids
- Create a key without any user IDs
- -o, --output=FILE
- Write the key to the specified file.
- When not specified, the key is saved on the key store.
- --rev-cert=FILE
- Write the emergency revocation certificate to FILE.
- When the key is stored on the key store, the revocation certificate is stored in $HOME/.local/share/sequoia/revocation-certificates by default.
- When `--output` is specified, the revocation certificate is written to `FILE.rev` by default.
- If `--output` is `-`, then this option must be provided.
- -u, --userid=USERID
- Add a user ID to the key
- --with-password
- Protect the secret key material with a password
Global options
See sq(1) for a description of the global options.
EXAMPLES
Generate a key, and save it on the key store.
sq key generate --userid "Alice <alice@example.org>"
Generate a key, and save it in a file instead of in the key store.
sq key generate --userid "Alice <alice@example.org>" --output \
alice-priv.pgp
Strip the secret key material from the new key.
sq toolbox extract-cert alice-priv.pgp --output alice.pgp
SEE ALSO
For the full documentation see https://book.sequoia-pgp.org.
VERSION
0.37.0 (sequoia-openpgp 1.20.0)
0.37.0 | Sequoia PGP |