sq-key-subkey-add - Man Page
Add a new subkey to a certificate
Synopsis
sq key subkey add [Options]
Description
Add a new subkey to a certificate.
A subkey has one or more capabilities.
`--can-sign` sets the signing capability, and means that the key may be used for signing. `--can-authenticate` sets the authentication capability, and means that the key may be used for authentication (e.g., as an SSH key). `--can-certify` sets the certificate capability, and means that the key may be used to make third-party certifications. These capabilities may be combined.
`--can-encrypt=storage` sets the storage encryption capability, and means that the key may be used for storage encryption. `--can-encrypt=transport` sets the transport encryption capability, and means that the key may be used for transport encryption. `--can-encrypt=universal` sets both the storage and the transport encryption capability, and means that the key may be used for both storage and transport encryption. The encryption capabilities must not be combined with the signing or authentication capability.
Normally, `sq` prompts the user for a password to use to encrypt the secret key material. The password for the new subkey may be different from the other keys. When using `--without-password`, `sq` doesn't prompt for a password, and doesn't password-protect the subkey.
By default a new subkey doesn't expire on its own. However, its validity period is limited by that of the certificate. Using the `--expiration` argument allows setting a different expiration time.
`sq key subkey add` respects the reference time set by the top-level `--time` argument. It sets the creation time of the subkey to the specified time.
Options
Subcommand options
- --can-authenticate
Add an authentication-capable subkey
- --can-encrypt=PURPOSE
Add an encryption-capable subkey [default: universal]
Encryption-capable subkeys can be marked as suitable for transport encryption, storage encryption, or both, i.e., universal.
[possible values: transport, storage, universal]
- --can-sign
Add a signing-capable subkey
- --cert=FINGERPRINT|KEYID
Add a subkey to the key with the specified fingerprint or key ID
- --cert-email=EMAIL
Add a subkey to the key where a user ID includes the specified email address
- --cert-file=PATH
Add a subkey to the key read from PATH
- --cert-userid=USERID
Add a subkey to the key with the specified user ID
- --cipher-suite=CIPHER-SUITE
Select the cryptographic algorithms for the subkey
The default can be changed in the configuration file using the setting `key.generate.cipher-suite`.
[default: cv25519]
[possible values: rsa2k, rsa3k, rsa4k, cv25519]
- --expiration=EXPIRATION
Sets the expiration time
EXPIRATION is either an ISO 8601 formatted date with an optional time or a custom duration. A duration takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and seconds, respectively. Alternatively, the keyword `never` does not set an expiration time.
[default: never]
- --new-password-file=PASSWORD_FILE
File containing password to encrypt the secret key material
Note that the entire key file will be used as the password including any surrounding whitespace like a trailing newline.
- --output=FILE
Write to the specified FILE
If not specified, and the certificate was read from the certificate store, imports the modified certificate into the key store. If not specified, and the certificate was read from a file, writes the modified certificate to stdout.
- --without-password
Don't protect the subkey's secret key material with a password
Global options
See sq(1) for a description of the global options.
Examples
Add a new signing-capable subkey to Alice's key.
sq key subkey add --can-sign \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0See Also
sq(1), sq-key(1), sq-key-subkey(1).
For the full documentation see <https://book.sequoia-pgp.org>.
Version
1.0.0 (sequoia-openpgp 1.22.0)