Provided by: sq_1.2.0-1_amd64 
NAME
sq key generate - Generate a new key
SYNOPSIS
sq key generate [OPTIONS]
DESCRIPTION
Generate a new key.
Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are
a few parameters to this process, but we provide reasonable defaults for most users.
When generating a key, we also generate an emergency revocation certificate. This can be used in case the
key is lost or compromised. It is saved alongside the key. This can be changed using the `--rev-cert`
argument.
By default a key expires after 3 years. This can be changed using the `--expiration` argument.
`sq key generate` respects the reference time set by the top-level `--time` argument. It sets the
creation time of the primary key, any subkeys, and the binding signatures to the reference time.
OPTIONS
Subcommand options
--allow-non-canonical-userids
Don't reject user IDs that are not in canonical form
Canonical user IDs are of the form `Name (Comment) <localpart@example.org>`.
--can-authenticate
Add an authentication-capable subkey (default)
--can-encrypt=PURPOSE
Add an encryption-capable subkey [default: universal]
Encryption-capable subkeys can be marked as suitable for transport encryption, storage encryption,
or both, i.e., universal.
[possible values: transport, storage, universal]
--can-sign
Add a signing-capable subkey (default)
--cannot-authenticate
Don't add an authentication-capable subkey
--cannot-encrypt
Don't add an encryption-capable subkey
--cannot-sign
Don't add a signing-capable subkey
--cipher-suite=CIPHER-SUITE
Select the cryptographic algorithms for the key
The default can be changed in the configuration file using the setting
`key.generate.cipher-suite`.
[default: cv25519]
[possible values: rsa2k, rsa3k, rsa4k, cv25519]
--email=ADDRESS
Add an email address as user ID to the key
--expiration=EXPIRATION
Sets the expiration time
EXPIRATION is either an ISO 8601 formatted date with an optional time or a custom duration. A
duration takes the form `N[ymwds]`, where the letters stand for years, months, weeks, days, and
seconds, respectively. Alternatively, the keyword `never` does not set an expiration time.
[default: 3y]
--name=NAME
Add a name as user ID to the key
--new-password-file=PASSWORD_FILE
File containing password to encrypt the secret key material
Note that the entire key file will be used as the password including any surrounding whitespace
like a trailing newline.
--no-userids
Create a key without any user IDs
--output=FILE
Write the key to the specified file
When not specified, the key is saved on the key store.
--own-key
Mark the key as one's own key
The newly generated key with all of its user IDs will be marked as authenticated and as a fully
trusted introducer.
--profile=PROFILE
Select the OpenPGP standard for the key
As OpenPGP evolves, new versions will become available. This option selects the version of
OpenPGP to use for the newly generated key.
Currently, sq supports only one version: RFC4880. Consequently, this is the default. However,
there is already a newer version of the standard: RFC9580. And, the default will change in a
future version of sq.
The default can be changed in the configuration file using the setting `key.generate.profile`.
[default: rfc4880]
[possible values: rfc4880]
--rev-cert=FILE
Write the emergency revocation certificate to FILE
When the key is stored on the key store, the revocation certificate is stored in
$HOME/.local/share/sequoia/revocation-certificates by default.
When `--output` is specified, the revocation certificate is written to the file specified by
`--rev-cert`.
If `--output` is `-`, then this option must not also be `-`.
--shared-key
Mark the key as a shared key
The newly generated key with all of its user IDs will be marked as authenticated, but not as a
trusted introducer. Further, the key metadata will indicate that this is a shared key.
Use this option if you plan to share this key with other people. Normally, you shouldn't share
keys material. An example of where you might want to do this is a shared mailbox.
--userid=USERID
Add a user ID to the key
This user ID can combine name and email address, can optionally contain a comment, or even be
free-form if `--allow-non-canonical-userids` is given. However, user IDs that include different
information such as name and email address are more difficult to reason about, so using distinct
user IDs for name and email address is preferred nowadays.
In doubt, prefer `--name` and `--email`.
--without-password
Don't protect the secret key material with a password
Global options
See sq(1) for a description of the global options.
EXAMPLES
Generate a key, and save it on the key store.
sq key generate --own-key --name Alice --email \
alice@example.org
Generate a key, and save it in a file instead of in the key store.
sq key generate --own-key --name Alice --email \
alice@example.org --output alice-priv.pgp --rev-cert \
alice-priv.rev
SEE ALSO
sq(1), sq-key(1).
For the full documentation see <https://book.sequoia-pgp.org>.
VERSION
1.2.0 (sequoia-openpgp 1.22.0)
Sequoia PGP 1.2.0 SQ(1)