FreeBSD Manual Pages
SQ(1) User Commands SQ(1) NAME sq-key-generate - Generate a new key SYNOPSIS sq key generate [OPTIONS] DESCRIPTION Generate a new key. Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users. When generating a key, we also generate an emergency revocation cer- tificate. This can be used in case the key is lost or compromised. It is saved alongside the key. This can be changed using the `--rev-cert` argument. By default a key expires after 3 years. This can be changed using the `--expiration` argument. `sq key generate` respects the reference time set by the top-level `--time` argument. It sets the creation time of the primary key, any subkeys, and the binding signatures to the reference time. OPTIONS Subcommand options --allow-non-canonical-userids Don't reject user IDs that are not in canonical form Canonical user IDs are of the form `Name (Comment) <local- part@example.org>`. --can-authenticate Add an authentication-capable subkey (default) --can-encrypt=PURPOSE Add an encryption-capable subkey [default: universal] Encryption-capable subkeys can be marked as suitable for trans- port encryption, storage encryption, or both, i.e., universal. [possible values: transport, storage, universal] --can-sign Add a signing-capable subkey (default) --cannot-authenticate Don't add an authentication-capable subkey --cannot-encrypt Don't add an encryption-capable subkey --cannot-sign Don't add a signing-capable subkey --cipher-suite=CIPHER-SUITE Select the cryptographic algorithms for the key The default can be changed in the configuration file using the setting `key.generate.cipher-suite`. [default: cv25519] [possible values: rsa2k, rsa3k, rsa4k, cv25519] --email=ADDRESS Add an email address as user ID to the key --expiration=EXPIRATION Sets the expiration time EXPIRATION is either an ISO 8601 formatted date with an optional time or a custom duration. A duration takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and seconds, respectively. Alternatively, the keyword `never` does not set an expiration time. [default: 3y] --name=NAME Add a name as user ID to the key --new-password-file=PASSWORD_FILE File containing password to encrypt the secret key material Note that the entire key file will be used as the password in- cluding any surrounding whitespace like a trailing newline. --no-userids Create a key without any user IDs --output=FILE Write the key to the specified file When not specified, the key is saved on the key store. --own-key Mark the key as one's own key The newly generated key with all of its user IDs will be marked as authenticated and as a fully trusted introducer. --profile=PROFILE Select the OpenPGP standard for the key As OpenPGP evolves, new versions will become available. This option selects the version of OpenPGP to use for the newly gen- erated key. Currently, sq supports two profiles: RFC9580 and RFC4880. Cur- rently, the default is RFC4880. However, once support for RFC9580 is rolled out further, the default will change in a fu- ture version of sq. The default can be changed in the configuration file using the setting `key.generate.profile`. [default: rfc4880] [possible values: rfc9580, rfc4880] --rev-cert=FILE Write the emergency revocation certificate to FILE When the key is stored on the key store, the revocation certifi- cate is stored in $HOME/sequoia/revocation-certificates by de- fault. When `--output` is specified, the revocation certificate is written to the file specified by `--rev-cert`. If `--output` is `-`, then this option must not also be `-`. --shared-key Mark the key as a shared key The newly generated key with all of its user IDs will be marked as authenticated, but not as a trusted introducer. Further, the key metadata will indicate that this is a shared key. Use this option if you plan to share this key with other people. Normally, you shouldn't share keys material. An example of where you might want to do this is a shared mailbox. --userid=USERID Add a user ID to the key This user ID can combine name and email address, can optionally contain a comment, or even be free-form if `--allow-non-canoni- cal-userids` is given. However, user IDs that include different information such as name and email address are more difficult to reason about, so using distinct user IDs for name and email ad- dress is preferred nowadays. In doubt, prefer `--name` and `--email`. --without-password Don't protect the secret key material with a password Global options See sq(1) for a description of the global options. EXAMPLES Generate a key, and save it on the key store. sq key generate --own-key --name Alice --email \ alice@example.org Generate a key, and save it in a file instead of in the key store. sq key generate --own-key --name Alice --email \ alice@example.org --output alice-priv.pgp --rev-cert \ alice-priv.rev SEE ALSO sq(1), sq-key(1). For the full documentation see <https://book.sequoia-pgp.org/>. VERSION 1.3.1 Sequoia PGP 1.3.1 SQ(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | SEE ALSO | VERSION
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=sq-key-generate&sektion=1&manpath=FreeBSD+Ports+15.0.quarterly>