Site Navigation

FreeBSD Manual Pages

   man apropos
 
   All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats 6 - Games 7 - Macros and Conventions 8 - Maintenance Commands 9 - Kernel Interface n - New Commands FreeBSD 16.0-CURRENT FreeBSD 15.0-RELEASE FreeBSD 15.0-RELEASE and Ports FreeBSD 15.0-RELEASE and Ports.quarterly FreeBSD 15.0-STABLE FreeBSD 14.4-RELEASE and Ports FreeBSD 14.4-STABLE FreeBSD 14.3-RELEASE FreeBSD 14.3-RELEASE and Ports FreeBSD 14.2-RELEASE FreeBSD 14.2-RELEASE and Ports FreeBSD 14.1-RELEASE FreeBSD 14.1-RELEASE and Ports FreeBSD 14.0-RELEASE FreeBSD 14.0-RELEASE and Ports FreeBSD 13.5-RELEASE FreeBSD 13.5-RELEASE and Ports FreeBSD 13.5-STABLE FreeBSD 13.4-RELEASE FreeBSD 13.4-RELEASE and Ports FreeBSD 13.3-RELEASE FreeBSD 13.3-RELEASE and Ports FreeBSD 13.2-RELEASE FreeBSD 13.2-RELEASE and Ports FreeBSD 13.1-RELEASE FreeBSD 13.1-RELEASE and Ports FreeBSD 13.0-RELEASE FreeBSD 13.0-RELEASE and Ports FreeBSD 12.4-RELEASE FreeBSD 12.4-RELEASE and Ports FreeBSD 12.3-RELEASE FreeBSD 12.3-RELEASE and Ports FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE and Ports FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE and Ports FreeBSD 12.0-RELEASE FreeBSD 12.0-RELEASE and Ports FreeBSD 11.4-RELEASE FreeBSD 11.4-RELEASE and Ports FreeBSD 11.3-RELEASE FreeBSD 11.3-RELEASE and Ports FreeBSD 11.2-RELEASE FreeBSD 11.2-RELEASE and Ports FreeBSD 11.1-RELEASE FreeBSD 11.1-RELEASE and Ports FreeBSD 11.0-RELEASE FreeBSD 11.0-RELEASE and Ports FreeBSD 10.4-RELEASE FreeBSD 10.4-RELEASE and Ports FreeBSD 10.3-RELEASE FreeBSD 10.3-RELEASE and Ports FreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE and Ports FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE and Ports FreeBSD 10.0-RELEASE FreeBSD 10.0-RELEASE and Ports FreeBSD 9.3-RELEASE FreeBSD 9.3-RELEASE and Ports FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE and Ports FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE and Ports FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE and Ports FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE and Ports FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE and Ports FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE and Ports FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE and Ports FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE and Ports FreeBSD 7.4-RELEASE FreeBSD 7.4-RELEASE and Ports FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE and Ports FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE and Ports FreeBSD 7.1-RELEASE FreeBSD 7.1-RELEASE and Ports FreeBSD 7.0-RELEASE FreeBSD 6.4-RELEASE FreeBSD 6.4-RELEASE and Ports FreeBSD 6.3-RELEASE FreeBSD 6.3-RELEASE and Ports FreeBSD 6.2-RELEASE FreeBSD 6.1-RELEASE FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE and Ports FreeBSD 5.5-RELEASE FreeBSD 5.5-RELEASE and Ports FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE and Ports FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE and Ports FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE and Ports FreeBSD 5.2-RELEASE FreeBSD 5.2-RELEASE and Ports FreeBSD 5.1-RELEASE FreeBSD 5.0-RELEASE FreeBSD 4.11-RELEASE FreeBSD 4.11-RELEASE and Ports FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE and Ports FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE and Ports FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE and Ports FreeBSD 4.7-RELEASE FreeBSD 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE and Ports FreeBSD 4.6-RELEASE FreeBSD 4.6-RELEASE and Ports FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE and Ports FreeBSD 4.4-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-RELEASE and Ports FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE and Ports FreeBSD 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE and Ports FreeBSD 4.1-RELEASE FreeBSD 4.0-RELEASE FreeBSD 3.5.1-RELEASE FreeBSD 3.5.1-RELEASE and Ports FreeBSD 3.5-RELEASE and Ports FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE and Ports FreeBSD 3.3-RELEASE FreeBSD 3.2-RELEASE FreeBSD 3.1-RELEASE FreeBSD 3.0-RELEASE FreeBSD 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE and Ports FreeBSD 2.2.7-RELEASE FreeBSD 2.2.6-RELEASE FreeBSD 2.2.5-RELEASE FreeBSD 2.2.2-RELEASE FreeBSD 2.2.1-RELEASE FreeBSD 2.1.7.1-RELEASE FreeBSD 2.1.6.1-RELEASE FreeBSD 2.1.5-RELEASE FreeBSD 2.1.0-RELEASE FreeBSD 2.0.5-RELEASE FreeBSD 2.0-RELEASE FreeBSD 1.1.5.1-RELEASE FreeBSD 1.1-RELEASE FreeBSD 1.0-RELEASE FreeBSD Ports 15.0 FreeBSD Ports 15.0.quarterly FreeBSD Ports 14.4 FreeBSD Ports 14.3 FreeBSD Ports 14.2 FreeBSD Ports 14.1 FreeBSD Ports 14.0 FreeBSD Ports 13.5 FreeBSD Ports 13.4 FreeBSD Ports 13.3 FreeBSD Ports 13.2 FreeBSD Ports 13.1 FreeBSD Ports 13.0 FreeBSD Ports 12.4 FreeBSD Ports 12.3 FreeBSD Ports 12.2 FreeBSD Ports 12.1 FreeBSD Ports 12.0 FreeBSD Ports 11.4 FreeBSD Ports 11.3 FreeBSD Ports 11.2 FreeBSD Ports 11.1 FreeBSD Ports 11.0 FreeBSD Ports 10.4 FreeBSD Ports 10.3 FreeBSD Ports 10.2 FreeBSD Ports 10.1 FreeBSD Ports 10.0 FreeBSD Ports 9.3 FreeBSD Ports 9.2 FreeBSD Ports 9.1 FreeBSD Ports 9.0 FreeBSD Ports 8.4 FreeBSD Ports 8.3 FreeBSD Ports 8.2 FreeBSD Ports 8.1 FreeBSD Ports 8.0 FreeBSD Ports 7.4 FreeBSD Ports 7.3 FreeBSD Ports 7.2 FreeBSD Ports 7.1 FreeBSD Ports 7.0 FreeBSD Ports 6.4 FreeBSD Ports 6.3 FreeBSD Ports 6.2 FreeBSD Ports 6.0 FreeBSD Ports 5.5 FreeBSD Ports 5.4 FreeBSD Ports 5.3 FreeBSD Ports 5.2.1 FreeBSD Ports 5.2 FreeBSD Ports 5.1 FreeBSD Ports 4.11 FreeBSD Ports 4.10 FreeBSD Ports 4.9 FreeBSD Ports 4.8 FreeBSD Ports 4.7 FreeBSD Ports 4.6.2 FreeBSD Ports 4.6 FreeBSD Ports 4.5 FreeBSD Ports 4.3 FreeBSD Ports 4.2 FreeBSD Ports 4.1.1 FreeBSD Ports 3.5.1 FreeBSD Ports 3.5 FreeBSD Ports 3.4 FreeBSD Ports 2.2.8 4.4BSD Lite2 4.3BSD NET/2 4.3BSD Reno 2.11 BSD 2.10 BSD 2.9.1 BSD 2.8 BSD 386BSD 0.1 386BSD 0.0 CentOS 7.9 CentOS 7.8 CentOS 7.7 CentOS 7.6 CentOS 7.5 CentOS 7.4 CentOS 7.3 CentOS 7.2 CentOS 7.1 CentOS 7.0 CentOS 6.10 CentOS 6.9 CentOS 6.8 CentOS 6.7 CentOS 6.6 CentOS 6.5 CentOS 6.4 CentOS 6.3 CentOS 6.2 CentOS 6.1 CentOS 6.0 CentOS 5.11 CentOS 5.10 CentOS 5.9 CentOS 5.8 CentOS 5.7 CentOS 5.6 CentOS 5.5 CentOS 5.4 CentOS 4.8 CentOS 3.9 Darwin 8.0.1/ppc Darwin 7.0.1 Darwin 6.0.2/x86 Darwin 1.4.1/x86 Darwin 1.3.1/x86 Debian 14.0 unstable Debian 13.3.0 Debian 12.13.0 Debian 11.11.0 Debian 10.13.0 Debian 9.13.0 Debian 8.11.1 Debian 7.11.0 Debian 6.0.10 Debian 5.0.10 Debian 4.0.9 Debian 3.1.8 Debian 2.2.7 Debian 2.0.0 Dell UNIX SVR4 2.2 DragonFly 6.4.2 DragonFly 5.8.3 DragonFly 4.8.1 DragonFly 3.8.2 DragonFly 2.10.1 DragonFly 1.12.1 DragonFly 1.0A HP-UX 11.22 HP-UX 11.20 HP-UX 11.11 HP-UX 11.00 HP-UX 10.20 HP-UX 10.10 HP-UX 10.01 HP-UX 9.07 HP-UX 8.07 Inferno 4th Edition IRIX 6.5.30 Linux Slackware 3.1 MACH 2.5/i386 macOS 26.3 macOS 15.7.4 macOS 14.8.4 macOS 13.6.5 macOS 12.7.3 macOS 11.1 macOS 10.15.7 macOS 10.13.6 macOS 10.12.0 Minix 3.3.0 Minix 3.2.1 Minix 3.2.0 Minix 3.1.7 Minix 3.1.6 Minix 3.1.5 Minix 2.0.0 NetBSD 10.1 NetBSD 10.0 NetBSD 9.4 NetBSD 9.3 NetBSD 9.2 NetBSD 9.1 NetBSD 9.0 NetBSD 8.3 NetBSD 8.2 NetBSD 8.1 NetBSD 8.0 NetBSD 7.2 NetBSD 7.1.2 NetBSD 7.1 NetBSD 7.0 NetBSD 6.1.5 NetBSD 6.0 NetBSD 5.2.3 NetBSD 5.2 NetBSD 5.1 NetBSD 5.0 NetBSD 4.0.1 NetBSD 4.0 NetBSD 3.1 NetBSD 3.0 NetBSD 2.1 NetBSD 2.0.2 NetBSD 2.0 NetBSD 1.6.2 NetBSD 1.6.1 NetBSD 1.6 NetBSD 1.5.3 NetBSD 1.5.2 NetBSD 1.5.1 NetBSD 1.5 NetBSD 1.4.3 NetBSD 1.4.2 NetBSD 1.4.1 NetBSD 1.4 NetBSD 1.3.3 NetBSD 1.3.2 NetBSD 1.3.1 NetBSD 1.3 NetBSD 1.2.1 NetBSD 1.2 NetBSD 1.1 NetBSD 1.0 NeXTSTEP 3.3 OpenBSD 7.8 OpenBSD 7.7 OpenBSD 7.6 OpenBSD 7.5 OpenBSD 7.4 OpenBSD 7.3 OpenBSD 7.2 OpenBSD 7.1 OpenBSD 7.0 OpenBSD 6.9 OpenBSD 6.8 OpenBSD 6.7 OpenBSD 6.6 OpenBSD 6.5 OpenBSD 6.4 OpenBSD 6.3 OpenBSD 6.2 OpenBSD 6.1 OpenBSD 6.0 OpenBSD 5.9 OpenBSD 5.8 OpenBSD 5.7 OpenBSD 5.6 OpenBSD 5.5 OpenBSD 5.4 OpenBSD 5.3 OpenBSD 5.2 OpenBSD 5.1 OpenBSD 5.0 OpenBSD 4.9 OpenBSD 4.8 OpenBSD 4.7 OpenBSD 4.6 OpenBSD 4.5 OpenBSD 4.4 OpenBSD 4.3 OpenBSD 4.2 OpenBSD 4.1 OpenBSD 4.0 OpenBSD 3.9 OpenBSD 3.8 OpenBSD 3.7 OpenBSD 3.6 OpenBSD 3.5 OpenBSD 3.4 OpenBSD 3.3 OpenBSD 3.2 OpenBSD 3.1 OpenBSD 3.0 OpenBSD 2.9 OpenBSD 2.8 OpenBSD 2.7 OpenBSD 2.6 OpenBSD 2.5 OpenBSD 2.4 OpenBSD 2.3 OpenBSD 2.2 OpenBSD 2.1 OpenBSD 2.0 OpenDarwin 7.2.1 OpenDarwin 6.6.2/x86 OpenDarwin 6.6.1/x86 OpenDarwin 20030208pre4/ppc OpenIndiana 2024.10 OpenIndiana 2022.10 OpenIndiana 2020.10 OpenIndiana 2017.10 OpenIndiana 2015.10 OpenIndiana 2013.08 OpenSolaris 2010.03 OpenSolaris 2009.06 OpenStep 4.2 openSUSE 42.3 openSUSE 42.2 openSUSE 42.1 openSUSE 16.0 openSUSE 15.6 openSUSE 15.5 openSUSE 15.4 openSUSE 15.3 openSUSE 15.2 openSUSE 15.1 openSUSE 15.0 openSUSE 13.2 openSUSE 13.1 openSUSE 11.4 openSUSE 11.3 openSUSE 11.2 openSUSE 10.3 openSUSE 10.2 OSF1 V5.1/alpha OSF1 V4.0/alpha OSF1 V1.0/mips Plan 9 Red Hat 9.0 Red Hat 8.0 Red Hat 7.3 Red Hat 7.2 Red Hat 7.1 Red Hat 7.0 Red Hat 6.2 Red Hat 6.1 Red Hat 5.2 Red Hat 5.0 Red Hat 4.2 Rhapsody DR1 Rhapsody DR2 Rocky 10.1 Rocky 10.0 Rocky 9.7 Rocky 9.6 Rocky 9.5 Rocky 9.4 Rocky 9.3 Rocky 9.2 Rocky 9.1 Rocky 9.0 Rocky 8.10 Rocky 8.9 Rocky 8.8 Rocky 8.7 Rocky 8.6 Rocky 8.5 Rocky 8.4 Rocky 8.3 Sun UNIX 0.4 SunOS 5.10 SunOS 5.9 SunOS 5.8 SunOS 5.7 SunOS 5.6 SunOS 5.5.1 SunOS 4.1.3 SuSE 11.3 SuSE 11.2 SuSE 11.1 SuSE 11.0 SuSE 10.3 SuSE 10.2 SuSE 10.1 SuSE 10.0 SuSE 9.3 SuSE 9.2 SuSE 8.2 SuSE 8.1 SuSE 8.0 SuSE 7.3 SuSE 7.2 SuSE 7.1 SuSE 7.0 SuSE 6.4 SuSE 6.3 SuSE 6.1 SuSE 6.0 SuSE 5.3 SuSE 5.2 SuSE 5.0 SuSE 4.3 SuSE ES 10 SP1 Ubuntu 24.04 noble Ubuntu 23.10 mantic Ubuntu 22.04 jammy Ubuntu 20.04 focal Ubuntu 18.04 bionic Ubuntu 16.04 xenial Ubuntu 14.04 trusty ULTRIX 4.2 Ultrix-32 2.0/VAX Unix Seventh Edition X11R7.4 X11R7.3.2 X11R7.2 X11R6.9.0 X11R6.8.2 X11R6.7.0 XFree86 4.8.0 XFree86 4.7.0 XFree86 4.6.0 XFree86 4.5.0 XFree86 4.4.0 XFree86 4.3.0 XFree86 4.2.99.3 XFree86 4.2.0 XFree86 4.1.0 XFree86 4.0.2 XFree86 4.0.1 XFree86 4.0 XFree86 3.3.6 XFree86 3.3 XFree86 2.1 html pdf ascii

home | help

---

SQ(1)				 User Commands				 SQ(1)

NAME
       sq - A command-line frontend for	Sequoia, an implementation of OpenPGP

SYNOPSIS
       sq encrypt [OPTIONS] FILE
       sq decrypt [OPTIONS] FILE
       sq sign [OPTIONS] FILE
       sq verify [OPTIONS] FILE
       sq download [OPTIONS]
       sq inspect [OPTIONS] FILE
       sq cert [OPTIONS]  SUBCOMMAND
       sq key [OPTIONS]	 SUBCOMMAND
       sq pki [OPTIONS]	 SUBCOMMAND
       sq network [OPTIONS]  SUBCOMMAND
       sq keyring [OPTIONS]  SUBCOMMAND
       sq packet [OPTIONS]  SUBCOMMAND
       sq config [OPTIONS]  SUBCOMMAND
       sq version [OPTIONS]

DESCRIPTION
       A command-line frontend for Sequoia, an implementation of OpenPGP.

       Functionality  is grouped and available using subcommands.  This	inter-
       face is not completely stateless.  In particular,  the  user's  default
       certificate    store   is   used.    This   can	 be   disabled	 using
       `--cert-store=none`.  Similarly,	a key store is used to manage and pro-
       tect   secret   key   material.	  This	 can   be    disabled	 using
       `--key-store=none`.

       OpenPGP	data  can  be  provided	in binary or ASCII armored form.  This
       will be handled automatically.  Emitted OpenPGP data is	ASCII  armored
       by default.

       We use the term "certificate", or "cert"	for short, to refer to OpenPGP
       keys that do not	contain	secrets.  Conversely, we use the term "key" to
       refer to	OpenPGP	keys that do contain secrets.

OPTIONS
   Global options
       --batch
	      Prevents any kind	of prompting

	      Enables  batch  mode.  In	batch mode, sq will never ask for user
	      input, such as prompting for passwords.

       --cert-store=PATH
	      Specify the location of the certificate store

	      By default, `sq` uses the	OpenPGP	certificate directory  in  Se-
	      quoia's  home  directory (see `--home`), $HOME/pgp.cert.d.  This
	      can be overridden	by setting the `PGP_CERT_D` environment	 vari-
	      able.

	      Use  'default'  to  explicitly  use  the default cert store, use
	      'none' to	not use	a cert store.

       --cli-version=CLI_VERSION
	      Select a CLI version

	      `sq`'s CLI is versioned  using  a	 semantic  versioning  scheme.
	      Setting this options causes `sq` to error	out if it does not im-
	      plement  an interface that is compatible with the	specified ver-
	      sion.  For instance, if you set this to 1.1.0 and	`sq` only  im-
	      plements	version	 1.0.0	of the interface, then `sq` will error
	      out.

	      `sq` may implement multiple interfaces (e.g., 1.1.4, and 2.0.5).
	      By default, it selects the newest	version.  As such, if you  re-
	      quire  a	particular  interface, you need	to set this option for
	      every call to `sq`.

	      This option must be the first option on the command line.

	      This version of `sq` implements version 1.3.1 of the CLI	inter-
	      face.

	      Stable since 1.2.0.

       -h, --help
	      Print help (see a	summary	with '-h')

       --home=PATH
	      Set the home directory

	      Sequoia's	default	home directory is `$HOME`.  When using the de-
	      fault  location,	files  are placed according to the local stan-
	      dard, e.g., the XDG Base Directory Specification.	 When  an  al-
	      ternate  location	 is  specified,	 the  user data, configuration
	      files, and cache data are	placed under a single, unified	direc-
	      tory.  This is a lightweight way to partially isolate `sq`.

	      Use 'default' to explicitly use the default location, use	'none'
	      to not use a home	directory.

       --key-store=PATH
	      Override the key store server and	its data

	      A	key store server manages and protects secret key material.  By
	      default, `sq` connects to	the key	store server for Sequoia's de-
	      fault home directory (see	`--home`), $HOME/sequoia/keystore.  If
	      no key store server is running, one is started.

	      This  option  causes  `sq` to use	an alternate key store server.
	      If necessary, a key store	server is started, and	configured  to
	      look for its data	in the specified location.

	      Use  'default'  to explicitly use	the default server, use	'none'
	      to not use a key store.

       --keyring=PATH
	      Specify the location of a	keyring	to use

	      Keyrings are used	in addition to	any  certificate  store.   The
	      content  of  the	keyring	 is  not imported into the certificate
	      store.  When a certificate is looked up, it is looked up in  all
	      keyrings	and  any certificate store, and	the results are	merged
	      together.

       --known-notation=NOTATION
	      Add NOTATION to the list of known	notations

	      This is used when	validating signatures.	Signatures  that  have
	      unknown  notations  with the critical bit	set are	considered in-
	      valid.

       --overwrite
	      Overwrite	existing files

       --password-file=FILE
	      Seed the password	cache with the specified password

	      The password is added to the password  cache.   When  decrypting
	      secret  key material, the	password cache is only used if the key
	      is not protected by a retry counter, which  automatically	 locks
	      the key if a wrong password is entered too many times.

	      Note  that the entire key	file will be used as the password, in-
	      cluding any surrounding whitespace like a	trailing newline.

       --policy-as-of=TIME
	      Select the cryptographic policy as of the	specified time

	      The time is expressed as an ISO 8601 formatted  timestamp.   The
	      policy determines	what cryptographic constructs are allowed.

	      If you are working with a	message	that sq	rejects, because it is
	      protected	 by  cryptographic  constructs that are	now considered
	      broken, you can use this option to select	 a  different  crypto-
	      graphic  policy.	 If you	are relying on the cryptography, e.g.,
	      you are verifying	a signature, then you should only do  this  if
	      you are confident	that the message hasn't	been tampered with.

	      TIME is interpreted as an	ISO 8601 timestamp.  To	set the	policy
	      time to January 1, 2007 at midnight UTC, you can do:

	      $	sq --policy-as-of 20070101 verify --message msg.pgp

	      Defaults to the reference	time, which can	be set using --time.

       -q, --quiet
	      Be more quiet

	      The  default  can	be changed in the configuration	file using the
	      setting `ui.quiet`.

       --time=TIME
	      Set the reference	time as	an ISO 8601 formatted timestamp

	      Normally,	commands use the current time as the  reference	 time.
	      This  argument  allows  the  user	 to use	a difference reference
	      time.  For instance, when	creating a key using  `sq  key	gener-
	      ate`, the	creation time is normally set to the current time, but
	      can  be overridden using this option.  Similarly,	when verifying
	      a	message, the message is	verified with respect to  the  current
	      time.  This option allows	the user to use	a different time.

	      TIME is interpreted as an	ISO 8601 timestamp.  To	set the	certi-
	      fication time to July 21,	2013 at	midnight UTC, you can do:

	      $	sq --time 20130721 verify --message msg.pgp

	      To include a time, say 5:50 AM, add a T, the time	and optionally
	      the timezone (the	default	timezone is UTC):

	      $	sq --time 20130721T0550+0200 --message verify msg.pgp

       --trust-root=FINGERPRINT|KEYID
	      Consider the specified certificate to be a trust root

	      Trust roots are used by trust models, e.g., the Web of Trust, to
	      authenticate certificates	and User IDs.

       -v, --verbose
	      Be more verbose

	      The  default  can	be changed in the configuration	file using the
	      setting `ui.verbose`.

SUBCOMMANDS
   sq encrypt
       Encrypt a message.

       Encrypt a message for any number	of recipients and with any  number  of
       passwords, optionally signing the message in the	process.

       The converse operation is `sq decrypt`.

       `sq  encrypt` respects the reference time set by	the top-level `--time`
       argument.  It uses the reference	time when selecting  encryption	 keys,
       and it sets the signature's creation time to the	reference time.

   sq decrypt
       Decrypt a message.

       Decrypt	a  message  using  either supplied keys, or by prompting for a
       password.  If message tampering is detected, an error is	returned.  See
       below for details.

       If certificates are supplied using the `--signer-file` option, any sig-
       natures	that are found are checked using these certificates. Verifica-
       tion is only successful if there	is no bad signature, and the number of
       successfully verified signatures	reaches	the threshold configured  with
       the `--signatures` parameter.

       If  the	signature  verification	 fails,	or if message tampering	is de-
       tected, the program terminates with an exit status indicating  failure.
       and the output file is deleted.	If the output was sent to stdout, then
       the  last 25 MiB	of the message are withheld (consequently, if the mes-
       sage is smaller than 25 MiB, no output is produced).

       The converse operation is `sq encrypt`.

   sq sign
       Sign messages or	data files.

       Creates signed messages or detached  signatures.	  Detached  signatures
       are often used to sign software packages.

       The converse operation is `sq verify`.

       `sq sign` respects the reference	time set by the	top-level `--time` ar-
       gument.	 When  set,  it	uses the specified time	instead	of the current
       time, when determining what keys	are valid, and it sets the signature's
       creation	time to	the reference time instead of the current time.

   sq verify
       Verify signed messages or detached signatures.

       When verifying signed messages, the message is written to stdout	or the
       file given to `--output`.

       When a detached message is verified, no output is  produced.   Detached
       signatures are often used to sign software packages.

       Verification  is	 only successful if there is no	bad signature, and the
       number of successfully verified signatures reaches the  threshold  con-
       figured	with the `--signatures`	parameter.  If the verification	fails,
       the program terminates with an exit status indicating failure, and  the
       output  file  is	 deleted.   If the output was sent to stdout, then the
       last 25 MiB of the message are withheld (consequently, if  the  message
       is smaller than 25 MiB, no output is produced).

       A  signature is considered to have been authenticated if	the signer can
       be authenticated.  If the signer	is provided via	`--signer-file`,  then
       the  signer  is	considered  authenticated.   Otherwise,	 the signer is
       looked up and authenticated using the Web of Trust.  If	at  least  one
       User ID can be fully authenticated, then	the signature is considered to
       have  been  authenticated.   If the signature includes a	Signer User ID
       subpacket, then only that User ID is considered.	  Note:	 the  User  ID
       need not	be self	signed.

       The converse operation is `sq sign`.

       If  you	are looking for	a standalone program to	verify detached	signa-
       tures, consider using sequoia-sqv.

       `sq verify` respects the	reference time set by the  top-level  `--time`
       argument.   When	 set, it verifies the message as of the	reference time
       instead of the current time.

   sq download
       Download	and authenticate the data.

       This command downloads the data from the	specified URL, checks the sig-
       nature, and then	authenticates the signer.  If the signer cannot	be au-
       thenticated, the	data is	deleted, if possible.

   sq inspect
       Inspect data, like file(1).

       It is often difficult to	tell from cursory inspection using  cat(1)  or
       file(1)	what  kind  of OpenPGP one is looking at.  This	subcommand in-
       spects the data and provides a meaningful human-readable	description of
       it.

       `sq inspect` respects the reference time	set by the top-level  `--time`
       argument.   It  uses  the  reference time when determining what binding
       signatures are active.

   sq cert
       Manage certificates.

       We use the term "certificate", or "cert"	for short, to refer to OpenPGP
       keys that do not	contain	secrets.  This subcommand provides  primitives
       to generate and otherwise manipulate certs.

       Conversely, we use the term "key" to refer to OpenPGP keys that do con-
       tain secrets.  See `sq key` for operations on keys.

   sq key
       Manage keys.

       We use the term "key" to	refer to OpenPGP keys that do contain secrets.
       This  subcommand	 provides primitives to	generate and otherwise manipu-
       late keys.

       Conversely, we use the term "certificate", or "cert" for	short, to  re-
       fer to OpenPGP keys that	do not contain secrets.	 See `sq cert` for op-
       erations	on certificates.

   sq pki
       Authenticate certs using	the Web	of Trust.

       The  "Web  of Trust" is a decentralized trust model popularized by PGP.
       It is a superset	of X.509, which	is a hierarchical trust	model, and  is
       the  most popular trust model on	the public internet today.  As used on
       the public internet, however, X.509 relies on a handful of global  cer-
       tification authorities (CAs) who	often undermine	its security.

       The  Web	 of Trust is more nuanced than X.509.  Using the Web of	Trust,
       require multiple, independent paths to authenticate a binding  by  only
       partially  trusting CAs.	 This prevents a single	bad actor from compro-
       mising their security.  And those who have stronger  security  require-
       ments  can  use	the  Web of Trust in a completely decentralized	manner
       where only the individuals they select  who are not necessarily	insti-
       tutions	act as trusted introducers.

   sq network
       Retrieve	and publish certificates over the network.

       OpenPGP	certificates can be discovered and updated from, and published
       on services accessible over the network.	 This is a collection of  com-
       mands to	interact with these services.

   sq keyring
       Manage collections of keys or certs.

       Collections of keys or certificates (also known as "keyrings" when they
       contain	secret	key material, and "certrings" when they	don't) are any
       number of concatenated certificates.  This subcommand provides tools to
       list, split, merge, and filter keyrings.

       Note: In	the documentation of this subcommand,  we  sometimes  use  the
       terms keys and certs interchangeably.

   sq packet
       Low-level packet	manipulation.

       An  OpenPGP data	stream consists	of packets.  These tools allow working
       with packet streams.  They are mostly of	interest  to  developers,  but
       `sq  packet  dump`  may	be helpful to a	wider audience both to provide
       valuable	information in bug reports to OpenPGP-related software,	and as
       a learning tool.

   sq config
       Query, inspect, and create the configuration file.

       This subcommand can be used to query and	inspect	the configuration file
       (default	location: $HOME/sequoia/sq/config.toml), and to	create a  tem-
       plate that can be edited	to your	liking.

       Configuration file: $HOME/sequoia/sq/config.toml

   sq version
       Detailed	version	and output version information.

       With  no	 further  options, this	command	lists the version of `sq`, the
       version of the underlying OpenPGP implementation	`sequoia-openpgp`, and
       which cryptographic library is used.

ENVIRONMENT
       SEQUOIA_CERT_STORE=PATH
	      Specify the location of the certificate store

	      By default, `sq` uses the	OpenPGP	certificate directory  in  Se-
	      quoia's  home  directory (see `--home`), $HOME/pgp.cert.d.  This
	      can be overridden	by setting the `PGP_CERT_D` environment	 vari-
	      able.

	      Use  'default'  to  explicitly  use  the default cert store, use
	      'none' to	not use	a cert store.

       SEQUOIA_HOME=PATH
	      Set the home directory

	      Sequoia's	default	home directory is `$HOME`.  When using the de-
	      fault location, files are	placed according to  the  local	 stan-
	      dard,  e.g.,  the	XDG Base Directory Specification.  When	an al-
	      ternate location is  specified,  the  user  data,	 configuration
	      files,  and cache	data are placed	under a	single,	unified	direc-
	      tory.  This is a lightweight way to partially isolate `sq`.

	      Use 'default' to explicitly use the default location, use	'none'
	      to not use a home	directory.

       SEQUOIA_KEY_STORE=PATH
	      Override the key store server and	its data

	      A	key store server manages and protects secret key material.  By
	      default, `sq` connects to	the key	store server for Sequoia's de-
	      fault home directory (see	`--home`), $HOME/sequoia/keystore.  If
	      no key store server is running, one is started.

	      This option causes `sq` to use an	alternate  key	store  server.
	      If  necessary,  a	key store server is started, and configured to
	      look for its data	in the specified location.

	      Use 'default' to explicitly use the default server,  use	'none'
	      to not use a key store.

EXAMPLES
   sq encrypt
       Encrypt a file for a recipient given by fingerprint.

	      sq encrypt --for=EB28F26E2739A4870ECC47726F0073F60FD0CBF0	\
		     --signer-email=juliet@example.org document.txt

       Encrypt a file for a recipient given by email.

	      sq encrypt --for-email=alice@example.org \
		     --signer-email=juliet@example.org document.txt

   sq decrypt
       Decrypt a file using a secret key

	      sq decrypt --recipient-file juliet-secret.pgp ciphertext.pgp

       Decrypt a file verifying	signatures

	      sq decrypt --recipient-file juliet-secret.pgp --signer-file \
		     romeo.pgp ciphertext.pgp

       decrypt a file using the	key store

	      sq decrypt ciphertext.pgp

   sq sign
       Create a	signed message.

	      sq sign --signer-file juliet-secret.pgp --message	document.txt

       Create a	detached signature.

	      sq sign --signer-file juliet-secret.pgp \
		     --signature-file=document.txt.sig document.txt

   sq verify
       Verify a	signed message.

	      sq verify	--message document.pgp

       Verify a	detached signature.

	      sq verify	--signature-file=document.sig document.txt

       Verify a	message	as of June 19, 2024 at midnight	UTC.

	      sq verify	--time 2024-06-19 --message document.pgp

   sq download
       Download	and verify the Debian 12 checksum file.

	      sq download --url=file://debian/SHA512SUMS \
		     --signature-url=file://debian/SHA512SUMS.sign \
		     --signer=DF9B9C49EAA9298432589D76DA87E80D6294BE9B \
		     --output=SHA512SUMS

   sq inspect
       Inspect a certificate.

	      sq inspect juliet.pgp

       Show how	the certificate	looked on July 21, 2013.

	      sq inspect --time	20130721 juliet.pgp

       Inspect an encrypted message.

	      sq inspect message.pgp

       Inspect a detached signature.

	      sq inspect document.sig

SEE ALSO
       sq-encrypt(1), sq-decrypt(1), sq-sign(1), sq-verify(1), sq-download(1),
       sq-inspect(1),	sq-cert(1),   sq-key(1),   sq-pki(1),	sq-network(1),
       sq-keyring(1), sq-packet(1), sq-config(1), sq-version(1).

       For the full documentation see <https://book.sequoia-pgp.org/>.

VERSION
       1.3.1

Sequoia	PGP			     1.3.1				 SQ(1)

---

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | SUBCOMMANDS | ENVIRONMENT | EXAMPLES | SEE ALSO | VERSION

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=sq&sektion=1&manpath=FreeBSD+Ports+15.0.quarterly>

home | help

---

Legal Notices | © 1995-2026 The FreeBSD Project. All rights reserved.

Contact