DOKK / manpages / debian 11 / sq / sq-key.1.en
SQ-KEY(1) USER COMMANDS SQ-KEY(1)

sq-key - Manages keys

We use the term "key" to refer to OpenPGP keys that do contain secrets. This subcommand provides primitives to generate and otherwise manipulate keys.

Conversely, we use the term "certificate", or cert for short, to refer to OpenPGP keys that do not contain secrets. See "sq keyring" for operations on certificates.

sq key [FLAGS] <SUBCOMMAND>

Prints help information

Prints this message or the help of the given subcommand(s)

Generates a new key

Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users.

When generating a key, we also generate a revocation certificate. This can be used in case the key is superseded, lost, or compromised. It is a good idea to keep a copy of this in a safe place.

After generating a key, use "sq key extract-cert" to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver.

Converts a key to a cert

After generating a key, use this command to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver.

Binds keys from one certificate to another

This command allows one to transfer primary keys and subkeys into an existing certificate. Say you want to transition to a new certificate, but have an authentication subkey on your current certificate. You want to keep the authentication subkey because it allows access to SSH servers and updating their configuration is not feasible.

Attests to third-party certifications allowing for their distribution

To prevent certificate flooding attacks, modern key servers prevent uncontrolled distribution of third-party certifications on certificates. To make the key holder the sovereign over the information over what information is distributed with the certificate, the key holder needs to explicitly attest to third-party certifications.

After the attestation has been created, the certificate has to be distributed, e.g. by uploading it to a keyserver.

For the full documentation see <https://docs.sequoia-pgp.org/sq/>.

sq(1), sq-armor(1), sq-autocrypt(1), sq-certify(1), sq-dearmor(1), sq-decrypt(1), sq-encrypt(1), sq-inspect(1), sq-key(1), sq-key-adopt(1), sq-key-attest-certifications(1), sq-key-extract-cert(1), sq-key-generate(1), sq-keyring(1), sq-keyring-filter(1), sq-keyring-join(1), sq-keyring-list(1), sq-keyring-merge(1), sq-keyring-split(1), sq-packet(1), sq-sign(1), sq-verify(1)

Azul <azul@sequoia-pgp.org>
Igor Matuszewski <igor@sequoia-pgp.org>
Justus Winter <justus@sequoia-pgp.org>
Kai Michaelis <kai@sequoia-pgp.org>
Neal H. Walfield <neal@sequoia-pgp.org>
Nora Widdecke <nora@sequoia-pgp.org>
Wiktor Kwapisiewicz <wiktor@sequoia-pgp.org>
JANUARY 2021 0.24.0 (SEQUOIA-OPENPGP 1.0.0)