sq-key-generate - Man Page
Generate a new key
Synopsis
sq key generate [Options]
Description
Generate a new key.
Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users.
When generating a key, we also generate an emergency revocation certificate. This can be used in case the key is lost or compromised. It is saved alongside the key. This can be changed using the `--rev-cert` argument.
By default a key expires after 3 years. This can be changed using the `--expiration` argument.
`sq key generate` respects the reference time set by the top-level `--time` argument. It sets the creation time of the primary key, any subkeys, and the binding signatures to the reference time.
Options
Subcommand options
- --allow-non-canonical-userids
Don't reject user IDs that are not in canonical form.
Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.
- -c, --cipher-suite=CIPHER-SUITE
Select the cryptographic algorithms for the key
[default: cv25519]
[possible values: rsa3k, rsa4k, cv25519]
- --can-authenticate
Add an authentication-capable subkey (default)
- --can-encrypt=PURPOSE
Add an encryption-capable subkey.
Encryption-capable subkeys can be marked as suitable for transport encryption, storage encryption, or both, i.e., universal. [default: universal]
[possible values: transport, storage, universal]
- --can-sign
Add a signing-capable subkey (default)
- --cannot-authenticate
Don't add an authentication-capable subkey
- --cannot-encrypt
Don't add an encryption-capable subkey
- --cannot-sign
Don't add a signing-capable subkey
- --expiration=EXPIRATION
Sets the certificate's expiration time.
EXPIRATION is either an ISO 8601 formatted string or a custom duration, which takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and seconds, respectively. Alternatively, the keyword `never` does not set an expiration time.
When using an ISO 8601 formatted string, the validity period is from the certificate's creation time to the specified time. When using a duration, the validity period is from the certificate's creation time for the specified duration.
[default: 3y]
- --no-userids
Create a key without any user IDs
- -o, --output=FILE
Write the key to the specified file.
When not specified, the key is saved on the key store.
- --rev-cert=FILE
Write the emergency revocation certificate to FILE.
When the key is stored on the key store, the revocation certificate is stored in $HOME/.local/share/sequoia/revocation-certificates by default.
When `--output` is specified, the revocation certificate is written to `FILE.rev` by default.
If `--output` is `-`, then this option must be provided.
- -u, --userid=USERID
Add a user ID to the key
- --with-password
Protect the secret key material with a password
Global options
See sq(1) for a description of the global options.
Examples
Generate a key, and save it on the key store.
sq key generate --userid "Alice <alice@example.org>"
Generate a key, and save it in a file instead of in the key store.
sq key generate --userid "Alice <alice@example.org>" --output \
alice-priv.pgpStrip the secret key material from the new key.
sq toolbox extract-cert alice-priv.pgp --output alice.pgp
See Also
For the full documentation see <https://book.sequoia-pgp.org>.
Version
0.37.0 (sequoia-openpgp 1.21.1)