sq-key-subkey-add - Man Page
Add a new subkey to a certificate
Synopsis
sq key subkey add [Options]
Description
Add a new subkey to a certificate.
A subkey has one or more capabilities.
`--can-sign` sets the signing capability, and means that the key may be used for signing. `--can-authenticate` sets the authentication capability, and means that the key may be used for authentication (e.g., as an SSH key). `--can-certify` sets the certificate capability, and means that the key may be used to make third-party certifications. These capabilities may be combined.
`--can-encrypt=storage` sets the storage encryption capability, and means that the key may be used for storage encryption. `--can-encrypt=transport` sets the transport encryption capability, and means that the key may be used for transport encryption. `--can-encrypt=universal` sets both the storage and the transport encryption capability, and means that the key may be used for both storage and transport encryption. The encryption capabilities must not be combined with the signing or authentication capability.
When using `--with-password`, `sq` prompts the user for a password that is used to encrypt the subkey. The password for the new subkey may be different from the other keys.
By default a new subkey doesn't expire on its own. However, its validity period is limited by that of the certificate. Using the `--expiration` argument allows setting a different expiration time.
`sq key subkey add` respects the reference time set by the top-level `--time` argument. It sets the creation time of the subkey to the specified time.
Options
Subcommand options
- -B, --binary
Emit binary data
- -c, --cipher-suite=CIPHER-SUITE
Select the cryptographic algorithms for the subkey
[default: cv25519]
[possible values: rsa3k, rsa4k, cv25519]
- --can-authenticate
Add an authentication-capable subkey
- --can-encrypt=PURPOSE
Add an encryption-capable subkey.
Encryption-capable subkeys can be marked as suitable for transport encryption, storage encryption, or both, i.e., universal. [default: universal]
[possible values: transport, storage, universal]
- --can-sign
Add a signing-capable subkey
- --cert=FINGERPRINT|KEYID
Add a subkey to the specified certificate
- --cert-file=CERT_FILE
Add a subkey to the specified certificate
- --expiration=EXPIRATION
Sets the key's expiration time.
EXPIRATION is either an ISO 8601 formatted string or a custom duration, which takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and seconds, respectively. Alternatively, the keyword `never` does not set an expiration time.
When using an ISO 8601 formatted string, the validity period is from the key's creation time to the specified time. When using a duration, the validity period is from the key's creation time for the specified duration.
[default: never]
- -o, --output=FILE
Write to the specified FILE.
If not specified, and the certificate was read from the certificate store, imports the modified certificate into the key store. If not specified, and the certificate was read from a file, writes the modified certificate to stdout.
- --with-password
Protect the subkey's secret key material with a password
Global options
See sq(1) for a description of the global options.
Examples
Import Alice's key.
sq key import alice-secret.pgp
Add a new signing-capable subkey.
sq key subkey add --can-sign --cert \ EB28F26E2739A4870ECC47726F0073F60FD0CBF0
See Also
sq(1), sq-key(1), sq-key-subkey(1).
For the full documentation see <https://book.sequoia-pgp.org>.
Version
0.37.0 (sequoia-openpgp 1.21.1)