Your company here — click to reach over 10,000 unique daily visitors

sq-key-generate - Man Page

Generate a new key


sq key generate [Options]  


Generate a new key.

Generating a key is the prerequisite to receiving encrypted messages and creating signatures.  There are a few parameters to this process, but we provide reasonable defaults for most users.

When generating a key, we also generate an emergency revocation certificate. This can be used in case the key is lost or compromised.  It is saved alongside the key.  This can be changed using the `--rev-cert` argument.

By default a key expires after 3 years.  This can be changed using the `--expiration` argument.

`sq key generate` respects the reference time set by the top-level `--time` argument.  It sets the creation time of the primary key, any subkeys, and the binding signatures to the reference time.


Subcommand options


Don't reject user IDs that are not in canonical form.

Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.

-c,  --cipher-suite=CIPHER-SUITE

Select the cryptographic algorithms for the key

[default: cv25519]

[possible values: rsa3k, rsa4k, cv25519]


Add an authentication-capable subkey (default)


Add an encryption-capable subkey.

Encryption-capable subkeys can be marked as suitable for transport encryption, storage encryption, or both, i.e., universal.  [default: universal]

[possible values: transport, storage, universal]


Add a signing-capable subkey (default)


Don't add an authentication-capable subkey


Don't add an encryption-capable subkey


Don't add a signing-capable subkey


Sets the certificate's expiration time.

EXPIRATION is either an ISO 8601 formatted string or a custom duration, which takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and seconds, respectively.  Alternatively, the keyword `never` does not set an expiration time.

When using an ISO 8601 formatted string, the validity period is from the certificate's creation time to the specified time.  When using a duration, the validity period is from the certificate's creation time for the specified duration.

[default: 3y]


Create a key without any user IDs

-o,  --output=FILE

Write the key to the specified file.

When not specified, the key is saved on the key store.


Write the emergency revocation certificate to FILE.

When the key is stored on the key store, the revocation certificate is stored in $HOME/.local/share/sequoia/revocation-certificates by default.

When `--output` is specified, the revocation certificate is written to `FILE.rev` by default.

If `--output` is `-`, then this option must be provided.

-u,  --userid=USERID

Add a user ID to the key


Protect the secret key material with a password

Global options

See sq(1) for a description of the global options.


Generate a key, and save it on the key store.

    sq key generate --userid "Alice <alice@example.org>"

Generate a key, and save it in a file instead of in the key store.

    sq key generate --userid "Alice <alice@example.org>" --output \

Strip the secret key material from the new key.

    sq toolbox extract-cert alice-priv.pgp --output alice.pgp

See Also

sq(1), sq-key(1).

For the full documentation see <https://book.sequoia-pgp.org>.


0.37.0 (sequoia-openpgp 1.21.1)

Referenced By


0.37.0 Sequoia PGP