SQ(1)                            User Commands                           SQ(1)

NAME
       sq-key-subkey-revoke - Revoke a subkey

SYNOPSIS
       sq key subkey revoke [OPTIONS]

DESCRIPTION
       Revoke a subkey.

       Creates a revocation certificate for a subkey.

       If `--revoker` or `--revoker-file` is provided, then that key is used
       to create the revocation certificate.  If that key is different from
       the certificate that is being revoked, this results in a third-party
       revocation.  This is normally only useful if the owner of the
       certificate designated the key to be a designated revoker.

       `sq key subkey revoke` respects the reference time set by the top-level
       `--time` argument.  When set, it uses the specified time instead of the
       current time when determining what keys are valid, and it sets the
       revocation certificate's creation time to the reference time instead of
       the current time.



OPTIONS
   Subcommand options
       --cert=FINGERPRINT|KEYID
              Revoke the specified subkeys on the key with the specified
              fingerprint or key ID

       --cert-email=EMAIL
              Revoke the specified subkeys on the key where a user ID includes
              the specified email address

       --cert-file=PATH
              Revoke the specified subkeys on the key read from PATH

       --cert-userid=USERID
              Revoke the specified subkeys on the key with the specified user
              ID

       --key=FINGERPRINT|KEYID
              Revoke the specified subkey

       --message=MESSAGE
              A short, explanatory text

              The text is shown to a viewer of the revocation certificate, and
              explains why the subkey has been revoked.  For instance, if
              Alice has created a new key, she would generate a `superseded`
              revocation certificate for her old key, and might include the
              message "I've created a new subkey, please refresh the
              certificate."

       --output=FILE
              Write to the specified FILE

              If not specified, and the certificate was read from the
              certificate store, imports the modified certificate into the
              cert store.  If not specified, and the certificate was read from
              a file, writes the modified certificate to stdout.

       --reason=REASON
              The reason for the revocation

              If the reason happened in the past, you should specify that
              using the `--time` argument.  This allows OpenPGP
              implementations to more accurately reason about artifacts whose
              validity depends on the validity of the user ID.

              [possible values: compromised, superseded, retired, unspecified]

       --revoker=FINGERPRINT|KEYID
              Use key with the specified fingerprint or key ID to create the
              revocation certificate

              Sign the revocation certificate using the specified key.  By
              default, the certificate being revoked is used.  Using this
              option, it is possible to create a third-party revocation.

       --revoker-email=EMAIL
              Use key where a user ID includes the specified email address to
              create the revocation certificate

              Sign the revocation certificate using the specified key.  By
              default, the certificate being revoked is used.  Using this
              option, it is possible to create a third-party revocation.

       --revoker-file=PATH
              Read key from PATH to create the revocation certificate

              Sign the revocation certificate using the specified key.  By
              default, the certificate being revoked is used.  Using this
              option, it is possible to create a third-party revocation.

       --revoker-userid=USERID
              Use key with the specified user ID to create the revocation
              certificate

              Sign the revocation certificate using the specified key.  By
              default, the certificate being revoked is used.  Using this
              option, it is possible to create a third-party revocation.

       --signature-notation NAME VALUE
              Add a notation to the signature

              A user-defined notation's name must be of the form
              `name@a.domain.you.control.org`. If the notation's name starts
              with a `!`, then the notation is marked as being critical.  If a
              consumer of a signature doesn't understand a critical notation,
              then it will ignore the signature.  The notation is marked as
              being human readable.

   Global options
       See sq(1) for a description of the global options.

EXAMPLES
       Revoke Alice's signing subkey.

              sq key subkey revoke \
                     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
                     --key=42020B87D51877E5AF8D272124F3955B0B8DECC8 --reason \
                     retired --message "Subkey rotation."



       Revoke Alice's signing subkey and encryption subkeys.

              sq key subkey revoke \
                     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
                     --key=42020B87D51877E5AF8D272124F3955B0B8DECC8 \
                     --key=74DCDEAF17D9B995679EB52BA6E65EA2C8497728 --reason \
                     retired --message "Subkey rotation."

SEE ALSO
       sq(1), sq-key(1), sq-key-subkey(1).

       For the full documentation see <https://book.sequoia-pgp.org/>.

VERSION
       1.3.1

Sequoia PGP                          1.3.1                               SQ(1)