.TH SQ 1 0.39.0 "Sequoia PGP" "User Commands" .SH NAME sq key subkey revoke \- Revoke a subkey .SH SYNOPSIS .br \fBsq key subkey revoke\fR [\fIOPTIONS\fR] .SH DESCRIPTION Revoke a subkey. .PP Creates a revocation certificate for a subkey. .PP If `\-\-revoker` or `\-\-revoker\-file` is provided, then that key is used to create the revocation certificate. If that key is different from the certificate that is being revoked, this results in a third\-party revocation. This is normally only useful if the owner of the certificate designated the key to be a designated revoker. .PP `sq key subkey revoke` respects the reference time set by the top\-level `\-\-time` argument. When set, it uses the specified time instead of the current time when determining what keys are valid, and it sets the revocation certificate's creation time to the reference time instead of the current time. .PP .SH OPTIONS .SS "Subcommand options" .TP \fB\-\-binary\fR Emit binary data .TP \fB\-\-cert\fR=\fIFINGERPRINT|KEYID\fR Revoke the specified (sub)keys on the key with the specified fingerprint or key ID .TP \fB\-\-email\fR=\fIEMAIL\fR Revoke the specified (sub)keys on the key where a user ID includes the specified email address .TP \fB\-\-file\fR=\fIPATH\fR Revoke the specified (sub)keys on the key read from PATH .TP \fB\-\-key\fR=\fIFINGERPRINT|KEYID\fR Revoke this subkey .TP \fB\-\-message\fR=\fIMESSAGE\fR A short, explanatory text. .IP The text is shown to a viewer of the revocation certificate, and explains why the subkey has been revoked. For instance, if Alice has created a new key, she would generate a `superseded` revocation certificate for her old key, and might include the message "I've created a new subkey, please refresh the certificate." .TP \fB\-\-notation\fR \fINAME\fR \fIVALUE\fR Add a notation to the certification. .IP A user\-defined notation's name must be of the form `name@a.domain.you.control.org`. If the notation's name starts with a `!`, then the notation is marked as being critical. If a consumer of a signature doesn't understand a critical notation, then it will ignore the signature. The notation is marked as being human readable. .TP \fB\-\-output\fR=\fIFILE\fR Write to the specified FILE. .IP If not specified, and the certificate was read from the certificate store, imports the modified certificate into the cert store. If not specified, and the certificate was read from a file, writes the modified certificate to stdout. .TP \fB\-\-reason\fR=\fIREASON\fR The reason for the revocation. .IP If the reason happened in the past, you should specify that using the `\-\-time` argument. This allows OpenPGP implementations to more accurately reason about artifacts whose validity depends on the validity of the user ID. .IP [possible values: \fBcompromised\fR, \fBsuperseded\fR, \fBretired\fR, \fBunspecified\fR] .TP \fB\-\-revoker\fR=\fIFINGERPRINT|KEYID\fR Use key with the specified fingerprint or key ID to create the revocation certificate. .IP Sign the revocation certificate using the specified key. By default, the certificate being revoked is used. Using this option, it is possible to create a third\-party revocation. .TP \fB\-\-revoker\-email\fR=\fIEMAIL\fR Use key where a user ID includes the specified email address to create the revocation certificate. .IP Sign the revocation certificate using the specified key. By default, the certificate being revoked is used. Using this option, it is possible to create a third\-party revocation. .TP \fB\-\-revoker\-file\fR=\fIPATH\fR Read key from PATH to create the revocation certificate. .IP Sign the revocation certificate using the specified key. By default, the certificate being revoked is used. Using this option, it is possible to create a third\-party revocation. .TP \fB\-\-revoker\-userid\fR=\fIUSERID\fR Use key with the specified user ID to create the revocation certificate. .IP Sign the revocation certificate using the specified key. By default, the certificate being revoked is used. Using this option, it is possible to create a third\-party revocation. .TP \fB\-\-userid\fR=\fIUSERID\fR Revoke the specified (sub)keys on the key with the specified user ID .SS "Global options" See \fBsq\fR(1) for a description of the global options. .SH EXAMPLES .PP .PP Revoke Alice's signing subkey. .PP .nf .RS sq key subkey revoke \\ .RE .RS .RS \-\-cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \\ .RE .RE .RS .RS \-\-key=42020B87D51877E5AF8D272124F3955B0B8DECC8 \-\-reason \\ .RE .RE .RS .RS retired \-\-message "Subkey rotation." .RE .RE .PP .fi .PP Revoke Alice's signing subkey and encryption subkeys. .PP .nf .RS sq key subkey revoke \\ .RE .RS .RS \-\-cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \\ .RE .RE .RS .RS \-\-key=42020B87D51877E5AF8D272124F3955B0B8DECC8 \\ .RE .RE .RS .RS \-\-key=74DCDEAF17D9B995679EB52BA6E65EA2C8497728 \-\-reason \\ .RE .RE .RS .RS retired \-\-message "Subkey rotation." .RE .RE .fi .SH "SEE ALSO" .nh \fBsq\fR(1), \fBsq\-key\fR(1), \fBsq\-key\-subkey\fR(1). .hy .PP For the full documentation see . .SH VERSION 0.39.0 (sequoia\-openpgp 1.21.2)