Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
SQ(1)				 User Commands				 SQ(1)

NAME
       sq key -	Manage keys

SYNOPSIS
       sq key list [OPTIONS]
       sq key generate [OPTIONS]
       sq key import [OPTIONS] KEY_FILE
       sq key export [OPTIONS]
       sq key password [OPTIONS] FILE
       sq key expire [OPTIONS] EXPIRY FILE
       sq key revoke [OPTIONS] REASON MESSAGE
       sq key userid [OPTIONS]	SUBCOMMAND
       sq key subkey [OPTIONS]	SUBCOMMAND
       sq key attest-certifications [OPTIONS] KEY
       sq key adopt [OPTIONS] TARGET-KEY

DESCRIPTION
       Manage keys.

       We use the term "key" to	refer to OpenPGP keys that do contain secrets.
       This  subcommand	 provides primitives to	generate and otherwise manipu-
       late keys.

       Conversely, we use the term "certificate", or "cert" for	short, to  re-
       fer  to	OpenPGP	 keys  that  do	 not contain secrets.  See `sq toolbox
       keyring`	for operations on certificates.

SUBCOMMANDS
   sq key list
       List keys managed by the	key store.

   sq key generate
       Generate	a new key.

       Generating a key	is the prerequisite to	receiving  encrypted  messages
       and  creating  signatures.  There are a few parameters to this process,
       but we provide reasonable defaults for most users.

       When generating a key, we also generate a revocation certificate.  This
       can be used in case the key is superseded, lost,	or compromised.	  This
       is saved	alongside the key.

       By default a key	expires	after 3	years.	Using the `--expiry=` argument
       specific	 validity  periods  may	be defined.  It	allows for providing a
       point in	time for validity to end or a validity duration.

       `sq key generate` respects the reference	 time  set  by	the  top-level
       `--time`	 argument.  It sets the	creation time of the key, any subkeys,
       and the binding signatures to the reference time.

   sq key import
       Import keys into	the key	store.

   sq key export
       Export keys from	the key	store.

   sq key password
       Change password protecting secrets.

       Secret key material in keys can be protected by a password.  This  sub-
       command changes or clears this encryption password.

       To  emit	the key	with unencrypted secrets, either use `--clear` or sup-
       ply a zero-length password when prompted	for the	new password.

   sq key expire
       Change expiration times.

       Keys and	their individual subkeys can expire.  This subcommand  changes
       or clears the expiration	times.

       By  default,  the  expiration  time  of	the entire key is changed.  To
       change the expiration of	only some of the subkeys, use  the  `--subkey`
       option.

   sq key revoke
       Revoke a	certificate.

       Creates a revocation certificate	for the	certificate.

       If `--revocation-file` is provided, then	that key is used to create the
       signature.   If	that  key  is different	from the certificate being re-
       voked, this creates a third-party revocation.  This  is	normally  only
       useful  if the owner of the certificate designated the key to be	a des-
       ignated revoker.

       If `--revocation-file` is not provided, then the	certificate  must  in-
       clude a certification-capable key.

       `sq  key	 revoke`  respects  the	 reference  time  set by the top-level
       `--time`	argument.  When	set, it	uses the specified time	instead	of the
       current time, when determining what keys	are valid, and it sets the re-
       vocation	certificate's creation time to the reference time  instead  of
       the current time.

   sq key userid
       Manage User IDs.

       Add User	IDs to,	or strip User IDs from a key.

   sq key subkey
       Manage Subkeys.

       Add new subkeys to an existing key.

   sq key attest-certifications
       Attest to third-party certifications allowing for their distribution.

       To prevent certificate flooding attacks,	modern key servers prevent un-
       controlled  distribution	of third-party certifications on certificates.
       To make the key holder the sovereign over the information over what in-
       formation is distributed	with the certificate, the key holder needs  to
       explicitly attest to third-party	certifications.

       After  the attestation has been created,	the certificate	has to be dis-
       tributed, e.g. by uploading it to a key server.

   sq key adopt
       Bind keys from one certificate to another.

       This command allows one to transfer primary keys	and  subkeys  into  an
       existing	certificate.  Say you want to transition to a new certificate,
       but  have  an  authentication  subkey on	your current certificate.  You
       want to keep the	authentication subkey because it allows	access to  SSH
       servers and updating their configuration	is not feasible.

EXAMPLES
   sq key list
       List the	keys managed by	the keystore server.

	      sq key list

   sq key generate
       Generate	a key

	      sq key generate --userid '<juliet@example.org>'

       Generate	a key protecting it with a password

	      sq key generate --userid '<juliet@example.org>' \
		     --with-password

       Generate	a key whose creation time is June 9, 2011 at midnight UTC

	      sq key generate --time 20110609 --userid Noam \
		     --output noam.pgp

       Generate	a key, and save	it in a	file instead of	in the key store.

	      sq key generate --userid '<juliet@example.org>' \
		     --output juliet-secret.key

       Then, extract the certificate for distribution

	      sq toolbox extract-cert --output juliet-secret.pgp

   sq key import
       Import the keys into the	keystore server.

	      sq key import alice-secret.pgp

   sq key export
       Import a	certificate.

	      sq key import alice-secret.pgp

       Export Alice's certificate with all available secret key	material.

	      sq key export --cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0

       Export  Alice's signing-capable and encryption-capable subkeys, but not
       her primary key or her authentication-capable subkey.

	      sq key export --key 42020B87D51877E5AF8D272124F3955B0B8DECC8 \
		     --key 74DCDEAF17D9B995679EB52BA6E65EA2C8497728

   sq key password
       First, generate a key

	      sq key generate --userid '<juliet@example.org>' \
		     --output juliet.key.pgp

       Then, encrypt the secrets in the	key with a password.

	      sq key password <	juliet.key.pgp > juliet.encrypted_key.pgp

       And remove the password again.

	      sq key password --clear <	juliet.encrypted_key.pgp \
		     > juliet.decrypted_key.pgp

   sq key expire
       Make Alice's key	expire in a year.

	      sq key expire 1y alice-secret.pgp

       Make Alice's key	never expire.

	      sq key expire never alice-secret.pgp

       Make Bob's authentication subkey	expire in six months.

	      sq key expire 6m --subkey	6AEACDD24F896624 bob-secret.pgp

   sq key attest-certifications
       Attest to all certifications present on the key

	      sq key attest-certifications juliet.pgp

       Retract prior attestations on the key

	      sq key attest-certifications --none juliet.pgp

   sq key adopt
       Adopt an	subkey into the	new cert

	      sq key adopt --keyring juliet-old.pgp --key 0123456789ABCDEF \
		     juliet-new.pgp

SEE ALSO
       sq(1),	 sq-key-list(1),     sq-key-generate(1),     sq-key-import(1),
       sq-key-export(1),	 sq-key-password(1),	     sq-key-expire(1),
       sq-key-revoke(1),	  sq-key-userid(1),	     sq-key-subkey(1),
       sq-key-attest-certifications(1),	sq-key-adopt(1).

       For the full documentation see <https://book.sequoia-pgp.org>.

VERSION
       0.36.0 (sequoia-openpgp 1.20.0)

Sequoia	PGP			    0.36.0				 SQ(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=sq-key&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help