sq-key-subkey - Man Page

Add a new subkey to a certificate.

A subkey has one or more capabilities.

`--can-sign` sets the signing capability, and means that the key may be used for signing. `--can-authenticate` sets the authentication capability, and means that the key may be used for authentication (e.g., as an SSH key).  `--can-certify` sets the certificate capability, and means that the key may be used to make third-party certifications.  These capabilities may be combined.

`--can-encrypt=storage` sets the storage encryption capability, and means that the key may be used for storage encryption. `--can-encrypt=transport` sets the transport encryption capability, and means that the key may be used for transport encryption.  `--can-encrypt=universal` sets both the storage and the transport encryption capability, and means that the key may be used for both storage and transport encryption.  The encryption capabilities must not be combined with the signing or authentication capability.

Normally, `sq` prompts the user for a password to use to encrypt the secret key material.  The password for the new subkey may be different from the other keys.  When using `--without-password`, `sq` doesn't prompt for a password, and doesn't password-protect the subkey.

By default a new subkey doesn't expire on its own.  However, its validity period is limited by that of the certificate.  Using the `--expiration` argument allows setting a different expiration time.

`sq key subkey add` respects the reference time set by the top-level `--time` argument.  It sets the creation time of the subkey to the specified time.

Export secret key material from the secret key store.

Exports the secret key material.  Note that even if secret key material is available, it may not be exportable.  For instance, secret key material stored on a hardware security module usually cannot be exported from the device.

If you want to export all secret key material associated with a certificate, use `sq key export`.

Delete a certificate's secret key material.

Unlike `sq key delete`, which deletes all the secret key material, this command only deletes the specified secret key material.

Although the secret key material is deleted, the public keys are retained.  If you don't want the keys to be used anymore you should revoke the keys using `sq key subkey revoke`.

Change the password protecting secret key material.

Secret key material can be protected by a password.  This subcommand changes or clears the password of one or more keys.

To strip the password either use `--clear` or supply a zero-length password when prompted for the new password.

If a key is password protected, and the correct password was not supplied using the `--password-file` argument, the user is prompted for the password.  Likewise, if the new password isn't provided, the user is prompted.

Change a subkey's expiration time.

This subcommand changes a key's expiration time.  To change the expiration time of the certificate, use the `sq key expire` subcommand.

Changing the expiration time of the primary key is equivalent to changing the certificate's expiration time.

Revoke a subkey.

Creates a revocation certificate for a subkey.

If `--revoker` or `--revoker-file` is provided, then that key is used to create the revocation certificate.  If that key is different from the certificate that is being revoked, this results in a third-party revocation.  This is normally only useful if the owner of the certificate designated the key to be a designated revoker.

`sq key subkey revoke` respects the reference time set by the top-level `--time` argument.  When set, it uses the specified time instead of the current time when determining what keys are valid, and it sets the revocation certificate's creation time to the reference time instead of the current time.

Add a new signing-capable subkey to Alice's key.

    sq key subkey add --without-password --can-sign --cert \
    EB28F26E2739A4870ECC47726F0073F60FD0CBF0

Export Alice's signing-capable and encryption-capable subkeys, but not her primary key or her authentication-capable subkey.

    sq key subkey export --key \
    42020B87D51877E5AF8D272124F3955B0B8DECC8 --key \

Delete Alice's signing subkey.

    sq key subkey delete --cert \
    EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --key \

Change the password for Alice's signing key to the password in the specified file.

    sq key subkey password --new-password-file password-file.txt \
    --cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --key \

Clear the password protection for Alice's signing key.

    sq key subkey password --password-file password-file.txt \
    --clear-password --cert \

Make Alice's authentication subkey expire in 6 months.

    sq key subkey expire 6m --cert \
    EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --key \

Revoke Alice's signing subkey.

    sq key subkey revoke --cert \
    EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \