Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
SQ(1)				 User Commands				 SQ(1)

NAME
       sq-key-subkey - Manage subkeys

SYNOPSIS
       sq key subkey add [OPTIONS]
       sq key subkey export [OPTIONS]
       sq key subkey delete [OPTIONS]
       sq key subkey password [OPTIONS]
       sq key subkey expire [OPTIONS]
       sq key subkey revoke [OPTIONS]
       sq key subkey bind [OPTIONS]

DESCRIPTION
       Manage subkeys.

       Add  new	 subkeys  to an	existing certificate, change their expiration,
       and revoke them.

SUBCOMMANDS
   sq key subkey add
       Add a new subkey	to a certificate.

       A subkey	has one	or more	capabilities.

       `--can-sign` sets the signing capability, and means that	the key	may be
       used for	signing. `--can-authenticate` sets the authentication capabil-
       ity, and	means that the key may be used for authentication (e.g., as an
       SSH key).  `--can-certify` sets the certificate capability,  and	 means
       that the	key may	be used	to make	third-party certifications.  These ca-
       pabilities may be combined.

       `--can-encrypt=storage`	sets  the  storage  encryption capability, and
       means that the key may  be  used	 for  storage  encryption.  `--can-en-
       crypt=transport`	 sets  the  transport encryption capability, and means
       that the	key may	be used	for transport encryption.  `--can-encrypt=uni-
       versal` sets both the storage and the transport encryption  capability,
       and  means  that	the key	may be used for	both storage and transport en-
       cryption.  The encryption capabilities must not be  combined  with  the
       signing or authentication capability.

       Normally,  `sq`	prompts	 the user for a	password to use	to encrypt the
       secret key material.  The password for the new subkey may be  different
       from  the  other	 keys.	 When using `--without-password`, `sq` doesn't
       prompt for a password, and doesn't password-protect the subkey.

       By default a new	subkey doesn't expire on its own.  However, its	valid-
       ity period is limited by	that of	the certificate.  Using	the `--expira-
       tion` argument allows setting a different expiration time.

       `sq key subkey add` respects the	reference time set  by	the  top-level
       `--time`	 argument.   It	 sets  the  creation time of the subkey	to the
       specified time.

   sq key subkey export
       Export secret key material from the secret key store.

       Exports the secret key material.	 Note that even	if secret key material
       is available, it	may not	be exportable.	For instance, secret key mate-
       rial stored on a	hardware security module usually  cannot  be  exported
       from the	device.

       The entire certificate is exported, but only the	specified key's	secret
       key material is exported.  An error is returned if the secret key mate-
       rial for	the specified key is not available.

       If  you	want  to export	all secret key material	associated with	a cer-
       tificate, use `sq key export`.

   sq key subkey delete
       Delete a	certificate's secret key material.

       Unlike `sq key delete`, which deletes all the secret key	material, this
       command only deletes the	specified secret key material.

       If the secret key material  is  managed	by  multiple  devices,	it  is
       deleted from all	of them.

       Although	 the  secret  key material is deleted, the public keys are re-
       tained.	If you don't want the keys to be used anymore you  should  re-
       voke the	keys using `sq key subkey revoke`.

   sq key subkey password
       Change the password protecting secret key material.

       Secret  key  material  can be protected by a password.  This subcommand
       changes or clears the password of one or	more keys.

       To strip	the password either use	 `--clear`  or	supply	a  zero-length
       password	when prompted for the new password.

       If  a  key is password protected, and the correct password was not sup-
       plied using the `--password-file` argument, the user  is	 prompted  for
       the  password.	Likewise, if the new password isn't provided, the user
       is prompted.

   sq key subkey expire
       Change a	subkey's expiration time.

       This subcommand changes a key's expiration time.	 To change the expira-
       tion time of the	certificate, use the `sq key expire` subcommand.

       Changing	the expiration time of the primary key is equivalent to	chang-
       ing the certificate's expiration	time.  The expiration time of a	subkey
       is bound	by the expiration of the certificate.

   sq key subkey revoke
       Revoke a	subkey.

       Creates a revocation certificate	for a subkey.

       If `--revoker` or `--revoker-file` is provided, then that key  is  used
       to  create  the	revocation certificate.	 If that key is	different from
       the certificate that is being revoked, this results  in	a  third-party
       revocation.   This is normally only useful if the owner of the certifi-
       cate designated the key to be a designated revoker.

       `sq key subkey revoke` respects the reference time set by the top-level
       `--time`	argument.  When	set, it	uses the specified time	instead	of the
       current time when determining what keys are valid, and it sets the  re-
       vocation	 certificate's	creation time to the reference time instead of
       the current time.

   sq key subkey bind
       Bind keys from one certificate to another.

       This command allows the user to attach a	primary	key or	a  subkey  at-
       tached  to  one	certificate  to	 another certificate.  Say you want to
       transition to a new certificate,	but have an authentication  subkey  on
       your current certificate	that you want to keep because it allows	access
       a  server and updating its configuration	is not feasible.  This command
       makes it	easy to	attach the subkey to the new certificate.

       After the operation, the	key is bound both to the old  certificate  and
       to  the	new  one.  To remove secret key	material from the old certifi-
       cate, use `sq key subkey	delete`	or `sq key  delete`,  as  appropriate.
       To  revoke the old subkey or key, use `sq key subkey revoke` or `sq key
       revoke`,	respectively.

EXAMPLES
   sq key subkey add
       Add a new signing-capable subkey	to Alice's key.

	      sq key subkey add	--can-sign \
		     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0

   sq key subkey export
       Export Alice's signing-capable and encryption-capable subkeys, but  not
       her primary key or her authentication-capable subkey.

	      sq key subkey export \
		     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
		     --key=42020B87D51877E5AF8D272124F3955B0B8DECC8 \
		     --key=74DCDEAF17D9B995679EB52BA6E65EA2C8497728

   sq key subkey delete
       Delete Alice's signing subkey.

	      sq key subkey delete \
		     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
		     --key=42020B87D51877E5AF8D272124F3955B0B8DECC8

   sq key subkey password
       Change  the  password  for  Alice's  signing key	to the password	in the
       specified file.

	      sq key subkey password --new-password-file=password-file.txt \
		     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
		     --key=42020B87D51877E5AF8D272124F3955B0B8DECC8

       Clear the password protection for Alice's signing key.

	      sq key subkey password --password-file=password-file.txt \
		     --clear-password \
		     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
		     --key=42020B87D51877E5AF8D272124F3955B0B8DECC8

   sq key subkey expire
       Change Alice's authentication subkey to expire in 6 months.

	      sq key subkey expire --expiration	6m \
		     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
		     --key=0D45C6A756A038670FDFD85CB1C82E8D27DB23A1

   sq key subkey revoke
       Revoke Alice's signing subkey.

	      sq key subkey revoke \
		     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
		     --key=42020B87D51877E5AF8D272124F3955B0B8DECC8 --reason \
		     retired --message "Subkey rotation."

       Revoke Alice's signing subkey and encryption subkeys.

	      sq key subkey revoke \
		     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
		     --key=42020B87D51877E5AF8D272124F3955B0B8DECC8 \
		     --key=74DCDEAF17D9B995679EB52BA6E65EA2C8497728 --reason \
		     retired --message "Subkey rotation."

   sq key subkey bind
       Bind Alice's old	authentication subkey to Alice's new certificate.

	      sq key subkey bind \
		     --cert=C5999E8191BF7B503653BE958B1F7910D01F86E5 \
		     --key=0D45C6A756A038670FDFD85CB1C82E8D27DB23A1

       Bind a bare key to Alice's certificate.	A bare key  is	a  public  key
       without any components or signatures.  This simplifies working with raw
       keys, e.g., keys	generated on an	OpenPGP	card, a	TPM device, etc.

	      sq key subkey bind --keyring=bare.pgp \
		     --cert=C5999E8191BF7B503653BE958B1F7910D01F86E5 \
		     --key=B321BA8F650CB16443E06826DBFA98A78CF6562F \
		     --can-encrypt=universal

SEE ALSO
       sq(1),	 sq-key(1),   sq-key-subkey-add(1),   sq-key-subkey-export(1),
       sq-key-subkey-delete(1),			    sq-key-subkey-password(1),
       sq-key-subkey-expire(1),			      sq-key-subkey-revoke(1),
       sq-key-subkey-bind(1).

       For the full documentation see <https://book.sequoia-pgp.org/>.

VERSION
       1.3.1

Sequoia	PGP			     1.3.1				 SQ(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=sq-key-subkey&sektion=1&manpath=FreeBSD+Ports+15.0.quarterly>

home | help