sq key - Manage keys

       Manage keys.

       We  use  the  term  "key"  to  refer  to  OpenPGP keys that do contain secrets.  This subcommand provides
       primitives to generate and otherwise manipulate keys.

       Conversely, we use the term "certificate", or "cert" for short, to refer to  OpenPGP  keys  that  do  not
       contain secrets.  See `sq cert` for operations on certificates.

sqkeylist
       List the keys managed by the keystore server.

              sq key list

       List the keys managed by the keystore server with a user ID in example.org.

              sq key list --cert-domain=example.org

   sqkeygenerate
       Generate a key, and save it on the key store.

              sq key generate --own-key --name Alice --email \
                     alice@example.org

       Generate a key, and save it in a file instead of in the key store.

              sq key generate --own-key --name Alice --email \
                     alice@example.org --output alice-priv.pgp --rev-cert \
                     alice-priv.rev

   sqkeyrotate
       Rotates Alice's certificate.

              sq key rotate --cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0

   sqkeyimport
       Import the keys into the key store.

              sq key import alice-secret.pgp

   sqkeyexport
       Export Alice's certificate with all available secret key material.

              sq key export --cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0

       Export Alice's certificate with all available secret key material identified by email address.

              sq key export --cert-email alice@example.orgsqkeydelete
       Delete any secret key associated with Alice's certificate.

              sq key delete --cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0

       Delete any secret key associated with Alice's certificate selected by user ID.

              sq key delete --cert-email=alice@example.orgsqkeypassword
       Change the password for all of Alice's keys to the password in the specified file.

              sq key password --new-password-file password-file.txt --cert \
                     EB28F26E2739A4870ECC47726F0073F60FD0CBF0

       Clear the password protection for all of Alice's keys.

              sq key password --password-file password-file.txt \
                     --clear-password --cert \
                     EB28F26E2739A4870ECC47726F0073F60FD0CBF0

   sqkeyexpire
       Change Alice's certificate to expire in a year.

              sq key expire --expiration 1y --cert \
                     EB28F26E2739A4870ECC47726F0073F60FD0CBF0

       Change Alice's certificate to never expire.

              sq key expire --expiration never --cert \
                     EB28F26E2739A4870ECC47726F0073F60FD0CBF0

   sqkeyrevoke
       Revoke Alice's key, indicating that there is a new certificate.

              sq key revoke --cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
                     --reason superseded --message \
                     "My new cert is C5999E8191BF7B503653BE958B1F7910D01F86E5"

       Revoke the key, indicating that the secret key material was compromised.

              sq key revoke --cert EB28F26E2739A4870ECC47726F0073F60FD0CBF0 \
                     --reason compromised --message \
                     "Computer attacked, secret key material compromised"

       sq key - Manage keys

sq(1),  sq-key-list(1),   sq-key-generate(1),   sq-key-rotate(1),   sq-key-import(1),   sq-key-export(1),
       sq-key-delete(1),     sq-key-password(1),     sq-key-expire(1),    sq-key-revoke(1),    sq-key-userid(1),
       sq-key-subkey(1), sq-key-approvals(1).

       For the full documentation see <https://book.sequoia-pgp.org>.

sqkeylist
       List keys managed by the key store.

   sqkeygenerate
       Generate a new key.

       Generating  a key is the prerequisite to receiving encrypted messages and creating signatures.  There are
       a few parameters to this process, but we provide reasonable defaults for most users.

       When generating a key, we also generate an emergency revocation certificate. This can be used in case the
       key is lost or compromised.  It is saved alongside the key.  This can be changed using  the  `--rev-cert`
       argument.

       By default a key expires after 3 years.  This can be changed using the `--expiration` argument.

       `sq  key  generate`  respects  the  reference  time  set by the top-level `--time` argument.  It sets the
       creation time of the primary key, any subkeys, and the binding signatures to the reference time.

   sqkeyrotate
       Rotate a certificate.

       Generates a new certificate to replace an existing one.

       The new certificate will have the same capabilities as the old certificate.  This can be overridden using
       the `--can-sign`, `--cannot-sign`, etc., arguments.  Note: the new certificate may have a different shape
       from the old certificate.  For instance,  if  the  old  certificate's  primary  key  is  marked  as  both
       certification  and  signing capable, the new certificate's primary key will be certification capable, and
       it will have a signing subkey.

       By default the certificate expires after 3 years.  This can be changed using the `--expiration` argument.

       The new certificate will have the same self-signed user IDs as the old certificate.  Revoked user IDs are
       ignored.

       The new certificate and the old certificate will  cross  certify  each  other  as  unconstrained  trusted
       introducers.

       The  new certificate will be linked in the same way as the old certificate.  This can be overridden using
       the `--own-key`, or the `--shared-key` argument.

       The new certificate will certify the same  certificates  as  the  old  certificate.   That  is,  the  old
       certificate's certifications will be replayed.  See `sq pki vouch replay` for more information.

       A  revocation  certificate  indicating  that the old certificate is retired, and that the new certificate
       should be instead used will be issued.  By default, it will go into effect in  182  days.   This  can  be
       changed or suppressed using the `--retire-in` argument.

       When  using  `--output`, the new certificate as well as all of the other updated certificates are written
       to the specified file.

       Stable since 1.2.0.

   sqkeyimport
       Import keys into the key store.

   sqkeyexport
       Export keys from the key store.

       Exports the secret key material associated with a certificate.  Note that even if secret key material  is
       available,  it  may  not  be exportable.  For instance, secret key material stored on a hardware security
       module usually cannot be exported from the device.

       Iterate over all of the specified certificates and export any keys (primary key and subkeys) with  secret
       key  material.   An  error  is  returned  if  any  specified  certificate does not contain any secret key
       material.

       If you only want to export a particular key and not all keys associate with a certificate,  use  `sq  key
       subkey export`.

   sqkeydelete
       Delete a certificate's secret key material.

   sqkeypassword
       Change the password protecting secret key material.

       Secret key material can be protected by a password.  This subcommand changes or clears the password.

       To  strip  the  password  either use `--clear` or supply a zero-length password when prompted for the new
       password.

       If a key is password protected, and the correct password was not  supplied  using  the  `--password-file`
       argument,  the user is prompted for the password.  Likewise, if the new password isn't provided, the user
       is prompted.

   sqkeyexpire
       Change a certificate's expiration time.

       This subcommand changes a certificate's expiration time.  To change the expiration time of an  individual
       subkey, use the `sq key subkey expire` subcommand.

   sqkeyrevoke
       Revoke a certificate.

       Creates a revocation certificate for a certificate.

       If  `--revoker`  or  `--revoker-file`  is  provided,  then  that  key  is  used  to create the revocation
       certificate.  If that key is different from the certificate that is being  revoked,  this  results  in  a
       third-party  revocation.  This is normally only useful if the owner of the certificate designated the key
       to be a designated revoker.

       `sq key revoke` respects the reference time set by the top-level `--time` argument.  When  set,  it  uses
       the  specified  time  instead  of  the current time when determining what keys are valid, and it sets the
       revocation certificate's creation time to the reference time instead of the current time.

   sqkeyuserid
       Manage User IDs.

       Add User IDs to a key, or revoke them.

   sqkeysubkey
       Manage subkeys.

       Add new subkeys to an existing certificate, change their expiration, and revoke them.

   sqkeyapprovals
       Manages certification approvals.

       Key holders may approve of third-party certifications associated with their certificate.  This subcommand
       manages the approvals.

       To prevent certificate  flooding  attacks,  modern  key  servers  prevent  uncontrolled  distribution  of
       third-party  certifications  on  certificates.   To  allow  the key holder to control what information is
       distributed with their certificate, these key servers only distribute third-party certifications that the
       key holder has explicitly approved.

sqkeylist [OPTIONS] FINGERPRINT|KEYID|PATTERNsqkeygenerate [OPTIONS]
       sqkeyrotate [OPTIONS]
       sqkeyimport [OPTIONS] KEY_FILEsqkeyexport [OPTIONS]
       sqkeydelete [OPTIONS]
       sqkeypassword [OPTIONS]
       sqkeyexpire [OPTIONS]
       sqkeyrevoke [OPTIONS]
       sqkeyuserid [OPTIONS]  SUBCOMMANDsqkeysubkey [OPTIONS]  SUBCOMMANDsqkeyapprovals [OPTIONS]  SUBCOMMAND

       1.2.0 (sequoia-openpgp 1.22.0)

Sequoia PGP                                           1.2.0                                                SQ(1)