sq-toolbox - Man Page

Manage collections of keys or certs.

Collections of keys or certificates (also known as "keyrings" when they contain secret key material, and "certrings" when they don't) are any number of concatenated certificates.  This subcommand provides tools to list, split, merge, and filter keyrings.

Note: In the documentation of this subcommand, we sometimes use the terms keys and certs interchangeably.

Convert a key to a cert.

After generating a key, use this command to get the certificate corresponding to the key.  The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a key server.

Strip a user ID.

Note that this operation does not reliably remove User IDs from a certificate that has already been disseminated! (OpenPGP software typically appends new information it receives about a certificate to its local copy of that certificate.  Systems that have obtained a copy of your certificate with the User ID that you are trying to strip will not drop that User ID from their copy.)

In most cases, you will want to use the 'sq key userid revoke' operation instead.  That issues a revocation for a User ID, which can be used to mark the User ID as invalidated.

However, this operation can be useful in very specific cases, in particular: to remove a mistakenly added User ID before it has been uploaded to key servers or otherwise shared.

Stripping a User ID may change how a certificate is interpreted.  This is because information about the certificate like algorithm preferences, the primary key's key flags, etc. is stored in the User ID's binding signature.

Low-level packet manipulation.

An OpenPGP data stream consists of packets.  These tools allow working with packet streams.  They are mostly of interest to developers, but `sq toolbox packet dump` may be helpful to a wider audience both to provide valuable information in bug reports to OpenPGP-related software, and as a learning tool.

Convert binary to ASCII.

To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor.  sq emits armored data by default, but this subcommand can be used to convert existing OpenPGP data to its ASCII-encoded representation.

The converse operation is `sq toolbox dearmor`.

Convert ASCII to binary.

To make encrypted data easier to handle and transport, OpenPGP data can be transformed to an ASCII representation called ASCII Armor.  sq transparently handles armored data, but this subcommand can be used to explicitly convert existing ASCII-encoded OpenPGP data to its binary representation.

The converse operation is `sq toolbox armor`.

Extract Alice's cert from her secret key material.

    sq toolbox extract-cert alice-secret.pgp

Strip a User ID from a cert in the cert store.

    sq toolbox strip-userid --cert \
    EB28F26E2739A4870ECC47726F0073F60FD0CBF0 --userid \

Convert a binary OpenPGP message to an ASCII armored OpenPGP message.

    sq toolbox armor message.bin

Convert a binary OpenPGP message to an ASCII armored OpenPGP message explicitly choosing the armor label.

    sq toolbox armor --label=message message.bin

Convert an ASCII armored OpenPGP message to a binary OpenPGP message.

    sq toolbox dearmor --output=message.bin message.pgp