SQ(1) User Commands SQ(1)

sq key subkey - Manage subkeys

sq key subkey add [OPTIONS]
sq key subkey expire [OPTIONS] EXPIRATION
sq key subkey revoke [OPTIONS] FINGERPRINT|KEYID REASON MESSAGE

Manage subkeys.

Add new subkeys to an existing certificate, change their expiration, and revoke them.

sq key subkey add

Add a new subkey to a certificate.

A subkey has one or more capabilities.

`--can-sign` sets the signing capability, and means that the key may be used for signing. `--can-authenticate` sets the authentication capability, and means that the key may be used for authentication (e.g., as an SSH key). `--can-certify` sets the certificate capability, and means that the key may be used to make third-party certifications. These capabilities may be combined.

`--can-encrypt=storage` sets the storage encryption capability, and means that the key may be used for storage encryption. `--can-encrypt=transport` sets the transport encryption capability, and means that the key may be used for transport encryption. `--can-encrypt=universal` sets both the storage and the transport encryption capability, and means that the key may be used for both storage and transport encryption. The encryption capabilities must not be combined with the signing or authentication capability.

When using `--with-password`, `sq` prompts the user for a password that is used to encrypt the subkey. The password for the new subkey may be different from the other keys.

By default a new subkey doesn't expire on its own. However, its validity period is limited by that of the certificate. Using the `--expiration` argument allows setting a different expiration time.

`sq key subkey add` respects the reference time set by the top-level `--time` argument. It sets the creation time of the subkey to the specified time.

sq key subkey expire

Change a subkey's expiration time.

This subcommand changes a key's expiration time. To change the expiration time of the certificate, use the `sq key expire` subcommand.

Changing the expiration time of the primary key is equivalent to changing the certificate's expiration time.

sq key subkey revoke

Revoke a subkey.

Creates a revocation certificate for a subkey.

If `--revoker` or `--revoker-file` is provided, then that key is used to create the revocation certificate. If that key is different from the certificate that is being revoked, this results in a third-party revocation. This is normally only useful if the owner of the certificate designated the key to be a designated revoker.

`sq key subkey revoke` respects the reference time set by the top-level `--time` argument. When set, it uses the specified time instead of the current time when determining what keys are valid, and it sets the revocation certificate's creation time to the reference time instead of the current time.

sq key subkey add

Import Alice's key.

sq key import alice-secret.pgp

Add a new signing-capable subkey.

sq key subkey add --can-sign --cert \
EB28F26E2739A4870ECC47726F0073F60FD0CBF0

sq key subkey expire

Import Alice's key.

sq key import alice-secret.pgp

Make Alice's authentication subkey expire in 6 months.

sq key subkey expire 6m --cert \
EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --key \
0D45C6A756A038670FDFD85CB1C82E8D27DB23A1

sq key subkey revoke

Import Alice's key.

sq key import alice-secret.pgp

Alice revokes her signing subkey.

sq key subkey revoke --cert \
EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
42020B87D51877E5AF8D272124F3955B0B8DECC8 retired \
"Subkey rotation."

sq(1), sq-key(1), sq-key-subkey-add(1), sq-key-subkey-expire(1), sq-key-subkey-revoke(1).

For the full documentation see https://book.sequoia-pgp.org.

0.37.0 (sequoia-openpgp 1.20.0)

0.37.0 Sequoia PGP