sq-key-subkey-add - Man Page
Add a new subkey to a certificate
Synopsis
sq key subkey add [Options]
Description
Add a new subkey to a certificate.
A subkey has one or more capabilities.
`--can-sign` sets the signing capability, and means that the key may be used for signing. `--can-authenticate` sets the authentication capability, and means that the key may be used for authentication (e.g., as an SSH key). `--can-certify` sets the certificate capability, and means that the key may be used to make third-party certifications. These capabilities may be combined.
`--can-encrypt=storage` sets the storage encryption capability, and means that the key may be used for storage encryption. `--can-encrypt=transport` sets the transport encryption capability, and means that the key may be used for transport encryption. `--can-encrypt=universal` sets both the storage and the transport encryption capability, and means that the key may be used for both storage and transport encryption. The encryption capabilities must not be combined with the signing or authentication capability.
Normally, `sq` prompts the user for a password to use to encrypt the secret key material. The password for the new subkey may be different from the other keys. When using `--without-password`, `sq` doesn't prompt for a password, and doesn't password-protect the subkey.
By default a new subkey doesn't expire on its own. However, its validity period is limited by that of the certificate. Using the `--expiration` argument allows setting a different expiration time.
`sq key subkey add` respects the reference time set by the top-level `--time` argument. It sets the creation time of the subkey to the specified time.
Options
Subcommand options
- --binary
Emit binary data
- --can-authenticate
Add an authentication-capable subkey
- --can-encrypt=PURPOSE
Add an encryption-capable subkey.
Encryption-capable subkeys can be marked as suitable for transport encryption, storage encryption, or both, i.e., universal. [default: universal]
[possible values: transport, storage, universal]
- --can-sign
Add a signing-capable subkey
- --cert=FINGERPRINT|KEYID
Add a subkey to the specified certificate
- --cert-file=CERT_FILE
Add a subkey to the specified certificate
- --cipher-suite=CIPHER-SUITE
Select the cryptographic algorithms for the subkey
[default: cv25519]
[possible values: rsa2k, rsa3k, rsa4k, cv25519]
- --expiration=EXPIRATION
Sets the key's expiration time.
EXPIRATION is either an ISO 8601 formatted string or a custom duration, which takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and seconds, respectively. Alternatively, the keyword `never` does not set an expiration time.
When using an ISO 8601 formatted string, the validity period is from the key's creation time to the specified time. When using a duration, the validity period is from the key's creation time for the specified duration.
[default: never]
- --new-password-file=PASSWORD_FILE
File containing password to encrypt the secret key material.
Note that the entire key file will be used as the password including any surrounding whitespace like a trailing newline.
- --output=FILE
Write to the specified FILE.
If not specified, and the certificate was read from the certificate store, imports the modified certificate into the key store. If not specified, and the certificate was read from a file, writes the modified certificate to stdout.
- --without-password
Don't protect the subkey's secret key material with a password
Global options
See sq(1) for a description of the global options.
Examples
Add a new signing-capable subkey to Alice's key.
sq key subkey add --without-password --can-sign --cert \ EB28F26E2739A4870ECC47726F0073F60FD0CBF0
See Also
sq(1), sq-key(1), sq-key-subkey(1).
For the full documentation see <https://book.sequoia-pgp.org>.
Version
0.38.0 (sequoia-openpgp 1.21.2)