sq-key-generate - Man Page

--allow-non-canonical-userids

Don't reject user IDs that are not in canonical form

Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.

--can-authenticate

Add an authentication-capable subkey (default)

--can-encrypt=PURPOSE

Add an encryption-capable subkey [default: universal]

Encryption-capable subkeys can be marked as suitable for transport encryption, storage encryption, or both, i.e., universal.

[possible values: transport, storage, universal]

--can-sign

Add a signing-capable subkey (default)

--cannot-authenticate

Don't add an authentication-capable subkey

--cannot-encrypt

Don't add an encryption-capable subkey

--cannot-sign

Don't add a signing-capable subkey

--cipher-suite=CIPHER-SUITE

Select the cryptographic algorithms for the key

The default can be changed in the configuration file using the setting `key.generate.cipher-suite`.

[default: cv25519]

[possible values: rsa2k, rsa3k, rsa4k, cv25519]

--email=ADDRESS

Add an email address as user ID to the key

--expiration=EXPIRATION

Sets the expiration time

EXPIRATION is either an ISO 8601 formatted date with an optional time or a custom duration.  A duration takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and seconds, respectively. Alternatively, the keyword `never` does not set an expiration time.

[default: 3y]

--name=NAME

Add a name as user ID to the key

--new-password-file=PASSWORD_FILE

File containing password to encrypt the secret key material

Note that the entire key file will be used as the password including any surrounding whitespace like a trailing newline.

--no-userids

Create a key without any user IDs

--output=FILE

Write the key to the specified file

When not specified, the key is saved on the key store.

--own-key

Mark the key as one's own key

The newly generated key with all of its user IDs will be marked as authenticated and as a fully trusted introducer.

--profile=PROFILE

Select the OpenPGP standard for the key

As OpenPGP evolves, new versions will become available.  This option selects the version of OpenPGP to use for the newly generated key.

Currently, sq supports only one version: RFC4880.  Consequently, this is the default.  However, there is already a newer version of the standard: RFC9580.  And, the default will change in a future version of sq.

The default can be changed in the configuration file using the setting `key.generate.profile`.

[default: rfc4880]

[possible values: rfc4880]

--rev-cert=FILE

Write the emergency revocation certificate to FILE

When the key is stored on the key store, the revocation certificate is stored in $HOME/.local/share/sequoia/revocation-certificates by default.

When `--output` is specified, the revocation certificate is written to the file specified by `--rev-cert`.

If `--output` is `-`, then this option must not also be `-`.

--shared-key

Mark the key as a shared key

The newly generated key with all of its user IDs will be marked as authenticated, but not as a trusted introducer.  Further, the key metadata will indicate that this is a shared key.

Use this option if you plan to share this key with other people.  Normally, you shouldn't share keys material.  An example of where you might want to do this is a shared mailbox.

--userid=USERID

Add a user ID to the key

This user ID can combine name and email address, can optionally contain a comment, or even be free-form if `--allow-non-canonical-userids` is given.  However, user IDs that include different information such as name and email address are more difficult to reason about, so using distinct user IDs for name and email address is preferred nowadays.

In doubt, prefer `--name` and `--email`.

--without-password

Don't protect the secret key material with a password

See sq(1) for a description of the global options.