Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
SQ(1)				 User Commands				 SQ(1)

NAME
       sq-key-subkey-add - Add a new subkey to a certificate

SYNOPSIS
       sq key subkey add [OPTIONS]

DESCRIPTION
       Add a new subkey	to a certificate.

       A subkey	has one	or more	capabilities.

       `--can-sign` sets the signing capability, and means that	the key	may be
       used for	signing. `--can-authenticate` sets the authentication capabil-
       ity, and	means that the key may be used for authentication (e.g., as an
       SSH  key).   `--can-certify` sets the certificate capability, and means
       that the	key may	be used	to make	third-party certifications.  These ca-
       pabilities may be combined.

       `--can-encrypt=storage` sets the	 storage  encryption  capability,  and
       means  that  the	 key  may  be  used for	storage	encryption. `--can-en-
       crypt=transport`	sets the transport encryption  capability,  and	 means
       that the	key may	be used	for transport encryption.  `--can-encrypt=uni-
       versal`	sets both the storage and the transport	encryption capability,
       and means that the key may be used for both storage and	transport  en-
       cryption.   The	encryption  capabilities must not be combined with the
       signing or authentication capability.

       Normally, `sq` prompts the user for a password to use  to  encrypt  the
       secret  key material.  The password for the new subkey may be different
       from the	other keys.  When  using  `--without-password`,	 `sq`  doesn't
       prompt for a password, and doesn't password-protect the subkey.

       By default a new	subkey doesn't expire on its own.  However, its	valid-
       ity period is limited by	that of	the certificate.  Using	the `--expira-
       tion` argument allows setting a different expiration time.

       `sq  key	 subkey	 add` respects the reference time set by the top-level
       `--time`	argument.  It sets the creation	time  of  the  subkey  to  the
       specified time.

OPTIONS
   Subcommand options
       --can-authenticate
	      Add an authentication-capable subkey

       --can-encrypt=PURPOSE
	      Add an encryption-capable	subkey [default: universal]

	      Encryption-capable  subkeys can be marked	as suitable for	trans-
	      port encryption, storage encryption, or both, i.e., universal.

	      [possible	values:	transport, storage, universal]

       --can-sign
	      Add a signing-capable subkey

       --cert=FINGERPRINT|KEYID
	      Add a subkey to the key with the specified fingerprint or	key ID

       --cert-email=EMAIL
	      Add a subkey to the key where a user ID includes	the  specified
	      email address

       --cert-file=PATH
	      Add a subkey to the key read from	PATH

       --cert-userid=USERID
	      Add a subkey to the key with the specified user ID

       --cipher-suite=CIPHER-SUITE
	      Select the cryptographic algorithms for the subkey

	      The  default  can	be changed in the configuration	file using the
	      setting `key.generate.cipher-suite`.

	      [default:	cv25519]

	      [possible	values:	rsa2k, rsa3k, rsa4k, cv25519]

       --expiration=EXPIRATION
	      Sets the expiration time

	      EXPIRATION is either an ISO 8601 formatted date with an optional
	      time  or	a  custom  duration.   A  duration  takes   the	  form
	      `N[ymwds]`,  where  the  letters stand for years,	months,	weeks,
	      days, and	 seconds,  respectively.  Alternatively,  the  keyword
	      `never` does not set an expiration time.

	      [default:	never]

       --new-password-file=PASSWORD_FILE
	      File containing password to encrypt the secret key material

	      Note  that  the entire key file will be used as the password in-
	      cluding any surrounding whitespace like a	trailing newline.

       --output=FILE
	      Write to the specified FILE

	      If not specified,	and the	certificate was	read from the certifi-
	      cate store, imports the modified certificate into	the key	store.
	      If not specified,	and the	certificate  was  read	from  a	 file,
	      writes the modified certificate to stdout.

       --without-password
	      Don't protect the	subkey's secret	key material with a password

   Global options
       See sq(1) for a description of the global options.

EXAMPLES
       Add a new signing-capable subkey	to Alice's key.

	      sq key subkey add	--can-sign \
		     --cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0

SEE ALSO
       sq(1), sq-key(1), sq-key-subkey(1).

       For the full documentation see <https://book.sequoia-pgp.org/>.

VERSION
       1.3.1

Sequoia	PGP			     1.3.1				 SQ(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=sq-key-subkey-add&sektion=1&manpath=FreeBSD+Ports+15.0.quarterly>

home | help