sq-key-generate(1)

Generates a new key

Section 1 sq bookworm source

Description

generate

NAME

generate - Generates a new key

SYNOPSIS

generate [-u|--userid] [-c|--cipher-suite] [--with-password] [--creation-time] [--expires] [--expires-in] [--can-sign] [--cannot-sign] [--can-authenticate] [--cannot-authenticate] [--can-encrypt] [--cannot-encrypt] [-e|--export] [--rev-cert] [-h|--help]

DESCRIPTION

Generates a new key

Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users.

When generating a key, we also generate a revocation certificate. This can be used in case the key is superseded, lost, or compromised. It is a good idea to keep a copy of this in a safe place.

After generating a key, use "sq key extract-cert" to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver.

OPTIONS

-u, --userid=EMAIL

Adds a userid to the key

-c, --cipher-suite=CIPHER-SUITE [default: cv25519] [possible values: rsa3k,
rsa4k, cv25519]

Selects the cryptographic algorithms for the key

--with-password

Protects the key with a password

--creation-time=CREATION_TIME

Sets the key's creation time to TIME. TIME is interpreted as an ISO 8601 timestamp. To set the creation time to June 9, 2011 at midnight UTC, you can do:

$ sq key generate --creation-time 20110609 --export noam.pgp

To include a time, add a T, the time and optionally the timezone (the default timezone is UTC):

$ sq key generate --creation-time 20110609T1938+0200 --export noam.pgp

--expires=TIME

Makes the key expire at TIME (as ISO 8601). Use "never" to create keys that do not expire.

--expires-in=DURATION

Makes the key expire after DURATION. Either "N[ymwds]", for N years, months, weeks, days, seconds, or "never".

--can-sign

Adds a signing-capable subkey (default)

--cannot-sign

Adds no signing-capable subkey

--can-authenticate

Adds an authentication-capable subkey (default)

--cannot-authenticate

Adds no authentication-capable subkey

--can-encrypt=PURPOSE [possible values: transport, storage, universal]

Adds an encryption-capable subkey. Encryption-capable subkeys can be marked as suitable for transport encryption, storage encryption, or both. [default: universal]

--cannot-encrypt

Adds no encryption-capable subkey

-e, --export=OUTFILE

Writes the key to OUTFILE

--rev-cert=FILE or -

Writes the revocation certificate to FILE. mandatory if OUTFILE is "-". [default: <OUTFILE>.rev]

-h, --help

Print help information

EXAMPLES

First, this generates a key

sq key generate --userid "<juliet@example.org>" --export juliet.key.pgp

Then, this extracts the certificate for distribution

sq key extract-cert --output juliet.cert.pgp juliet.key.pgp

Generates a key protecting it with a password

sq key generate --userid "<juliet@example.org>" --with-password

Generates a key with multiple userids

sq key generate --userid "<juliet@example.org>" --userid "Juliet Capulet"

SEE ALSO

For the full documentation see <https://docs.sequoia-pgp.org/sq/>.

sq(1) sq-armor(1) sq-autocrypt(1) sq-certify(1) sq-dearmor(1) sq-decrypt(1) sq-encrypt(1) sq-inspect(1) sq-key(1) sq-key-adopt(1) sq-key-attest-certifications(1) sq-key-extract-cert(1) sq-key-password(1) sq-key-userid(1) sq-keyring(1) sq-keyserver(1) sq-packet(1) sq-revoke(1) sq-sign(1) sq-verify(1) sq-wkd(1)

See Also

  • sq(1)
  • armor(1)
  • autocrypt(1)
  • certify(1)
  • dearmor(1)
  • decrypt(1)
  • encrypt(1)
  • inspect(1)
  • key(1)
  • adopt(1)
  • certifications(1)
  • cert(1)
  • password(1)
  • userid(1)
  • keyring(1)
  • keyserver(1)
  • packet(1)
  • revoke(1)
  • sign(1)
  • verify(1)
  • wkd(1)