.TH SQ 1 0.37.0 "Sequoia PGP" "User Commands" .SH NAME sq key \- Manage keys .SH SYNOPSIS .br \fBsq key list\fR [\fIOPTIONS\fR] .br \fBsq key generate\fR [\fIOPTIONS\fR] .br \fBsq key import\fR [\fIOPTIONS\fR] \fIKEY_FILE\fR .br \fBsq key export\fR [\fIOPTIONS\fR] .br \fBsq key delete\fR [\fIOPTIONS\fR] .br \fBsq key password\fR [\fIOPTIONS\fR] .br \fBsq key expire\fR [\fIOPTIONS\fR] \fIEXPIRATION\fR .br \fBsq key revoke\fR [\fIOPTIONS\fR] \fIREASON\fR \fIMESSAGE\fR .br \fBsq key userid\fR [\fIOPTIONS\fR] \fISUBCOMMAND\fR .br \fBsq key subkey\fR [\fIOPTIONS\fR] \fISUBCOMMAND\fR .br \fBsq key attest\-certifications\fR [\fIOPTIONS\fR] .br \fBsq key adopt\fR [\fIOPTIONS\fR] .SH DESCRIPTION Manage keys. .PP We use the term "key" to refer to OpenPGP keys that do contain secrets. This subcommand provides primitives to generate and otherwise manipulate keys. .PP Conversely, we use the term "certificate", or "cert" for short, to refer to OpenPGP keys that do not contain secrets. See `sq cert` for operations on certificates. .SH SUBCOMMANDS .SS "sq key list" List keys managed by the key store. .PP .SS "sq key generate" Generate a new key. .PP Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users. .PP When generating a key, we also generate an emergency revocation certificate. This can be used in case the key is lost or compromised. It is saved alongside the key. This can be changed using the `\-\-rev\-cert` argument. .PP By default a key expires after 3 years. This can be changed using the `\-\-expiration` argument. .PP `sq key generate` respects the reference time set by the top\-level `\-\-time` argument. It sets the creation time of the primary key, any subkeys, and the binding signatures to the reference time. .PP .SS "sq key import" Import keys into the key store. .PP .SS "sq key export" Export keys from the key store. .PP .SS "sq key delete" Delete a certificate's secret key material. .PP .SS "sq key password" Change the password protecting secret key material. .PP Secret key material can be protected by a password. This subcommand changes or clears the password. .PP To strip the password either use `\-\-clear` or supply a zero\-length password when prompted for the new password. .PP If a key is password protected, and the correct password was not supplied using the `\-\-password\-file` argument, the user is prompted for the password. Likewise, if the new password isn't provided, the user is prompted. .PP .SS "sq key expire" Change expiration times. .PP Change or clear a certificate's expiration time. .PP This subcommand changes the certificate's expiration time. To change the expiration time of an individual subkey, use the `sq key subkey expire` subcommand. .PP .SS "sq key revoke" Revoke a certificate. .PP Creates a revocation certificate for a certificate. .PP If `\-\-revoker` or `\-\-revoker\-file` is provided, then that key is used to create the revocation certificate. If that key is different from the certificate that is being revoked, this results in a third\-party revocation. This is normally only useful if the owner of the certificate designated the key to be a designated revoker. .PP `sq key revoke` respects the reference time set by the top\-level `\-\-time` argument. When set, it uses the specified time instead of the current time when determining what keys are valid, and it sets the revocation certificate's creation time to the reference time instead of the current time. .PP .SS "sq key userid" Manage User IDs. .PP Add User IDs to a key, or revoke them. .PP .SS "sq key subkey" Manage subkeys. .PP Add new subkeys to an existing certificate, change their expiration, and revoke them. .SS "sq key attest-certifications" Attest to third\-party certifications allowing for their distribution. .PP To prevent certificate flooding attacks, modern key servers prevent uncontrolled distribution of third\-party certifications on certificates. To allow the key holder to control what information is distributed with their certificate, these key servers only distribute third\-party certifications that the key holder has explicitly approved. .PP After the attestation has been created, the certificate has to be distributed, e.g. by uploading it to a key server. .PP .SS "sq key adopt" Bind keys from one certificate to another. .PP This command allows the user to attach a primary key or a subkey attached to one certificate to another certificate. Say you want to transition to a new certificate, but have an authentication subkey on your current certificate that you want to keep because it allows access a server and updating its configuration is not feasible. This command makes it easy to attach the subkey to the new certificate. .PP .SH EXAMPLES .SS "sq key list" .PP .PP List the keys managed by the keystore server. .PP .nf .RS sq key list .RE .fi .PP .SS "sq key generate" .PP .PP Generate a key, and save it on the key store. .PP .nf .RS sq key generate \-\-userid "Alice " .RE .PP .fi .PP Generate a key, and save it in a file instead of in the key store. .PP .nf .RS sq key generate \-\-userid "Alice " \-\-output \\ .RE .RS .RS alice\-priv.pgp .RE .RE .PP .fi .PP Strip the secret key material from the new key. .PP .nf .RS sq toolbox extract\-cert alice\-priv.pgp \-\-output alice.pgp .RE .fi .PP .SS "sq key import" .PP .PP Import the keys into the key store. .PP .nf .RS sq key import alice\-secret.pgp .RE .fi .PP .SS "sq key export" .PP .PP Import a certificate. .PP .nf .RS sq key import alice\-secret.pgp .RE .PP .fi .PP Export Alice's certificate with all available secret key material. .PP .nf .RS sq key export \-\-cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0 .RE .PP .fi .PP Export Alice's signing\-capable and encryption\-capable subkeys, but not her primary key or her authentication\-capable subkey. .PP .nf .RS sq key export \-\-key 42020B87D51877E5AF8D272124F3955B0B8DECC8 \\ .RE .RS .RS \-\-key 74DCDEAF17D9B995679EB52BA6E65EA2C8497728 .RE .RE .fi .PP .SS "sq key delete" .PP .PP Import Alice's key. .PP .nf .RS sq key import alice\-secret.pgp .RE .PP .fi .PP Delete any secret key associated with the certificate. .PP .nf .RS sq key delete \-\-cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0 .RE .fi .PP .SS "sq key password" .PP .PP Import a key that has no password protection. .PP .nf .RS sq key import alice\-secret.pgp .RE .PP .fi .PP Change the password for all keys to password in the specified file. .PP .nf .RS sq key password \-\-new\-password\-file password\-file.txt \-\-cert \\ .RE .RS .RS EB28F26E2739A4870ECC47726F0073F60FD0CBF0 .RE .RE .PP .fi .PP Clear the password protection. .PP .nf .RS sq key password \-\-password\-file password\-file.txt \\ .RE .RS .RS \-\-clear\-password \-\-cert \\ .RE .RE .RS .RS EB28F26E2739A4870ECC47726F0073F60FD0CBF0 .RE .RE .fi .PP .SS "sq key expire" .PP .PP Make Alice's key expire in a year. .PP .nf .RS sq key expire 1y \-\-cert\-file alice\-secret.pgp .RE .PP .fi .PP Make Alice's key never expire. .PP .nf .RS sq key expire never \-\-cert\-file alice\-secret.pgp .RE .fi .PP .SS "sq key revoke" .PP .PP Import a key. .PP .nf .RS sq key import alice\-secret.pgp .RE .PP .fi .PP Revoke the key, indicating that there is a new certificate. .PP .nf .RS sq key revoke \-\-cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \\ .RE .RS .RS superseded \\ .RE .RE .RS .RS "My new cert is 31EC6A9453BC59F1239C785E4CA79EF01933A2ED" .RE .RE .PP .fi .PP Revoke the key, indicating that the secret key material was compromised. .PP .nf .RS sq key revoke \-\-cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \\ .RE .RS .RS compromised \\ .RE .RE .RS .RS "Computer attacked, secret key material compromised" .RE .RE .fi .PP .SS "sq key attest-certifications" .PP .PP Import Alice's key. .PP .nf .RS sq key import alice\-secret.pgp .RE .PP .fi .PP Attest to all of the certifications on all the user IDs. .PP .nf .RS sq key attest\-certifications \-\-all \-\-cert \\ .RE .RS .RS EB28F26E2739A4870ECC47726F0073F60FD0CBF0 .RE .RE .fi .PP .SS "sq key adopt" .PP .PP Import Alice's old key and new key. .PP .nf .RS sq key import alice\-secret.pgp alice\-new\-secret.pgp .RE .PP .fi .PP Have the new certificate adopt Alice's old authentication subkey. .PP .nf .RS sq key adopt \-\-cert C5999E8191BF7B503653BE958B1F7910D01F86E5 \\ .RE .RS .RS \-\-key 0D45C6A756A038670FDFD85CB1C82E8D27DB23A1 .RE .RE .fi .SH "SEE ALSO" .nh \fBsq\fR(1), \fBsq\-key\-list\fR(1), \fBsq\-key\-generate\fR(1), \fBsq\-key\-import\fR(1), \fBsq\-key\-export\fR(1), \fBsq\-key\-delete\fR(1), \fBsq\-key\-password\fR(1), \fBsq\-key\-expire\fR(1), \fBsq\-key\-revoke\fR(1), \fBsq\-key\-userid\fR(1), \fBsq\-key\-subkey\fR(1), \fBsq\-key\-attest\-certifications\fR(1), \fBsq\-key\-adopt\fR(1). .hy .PP For the full documentation see . .SH VERSION 0.37.0 (sequoia\-openpgp 1.20.0)