| generate(1) | Sequoia Manual | generate(1) |
NAME¶
generate - Generates a new key
SYNOPSIS¶
generate [-u|--userid] [-c|--cipher-suite] [--with-password] [--creation-time] [--expires] [--expires-in] [--can-sign] [--cannot-sign] [--can-authenticate] [--cannot-authenticate] [--can-encrypt] [--cannot-encrypt] [-e|--export] [--rev-cert] [-h|--help]
DESCRIPTION¶
Generates a new key
Generating a key is the prerequisite to receiving encrypted messages and creating signatures. There are a few parameters to this process, but we provide reasonable defaults for most users.
When generating a key, we also generate a revocation certificate. This can be used in case the key is superseded, lost, or compromised. It is a good idea to keep a copy of this in a safe place.
After generating a key, use "sq key extract-cert" to get the certificate corresponding to the key. The key must be kept secure, while the certificate should be handed out to correspondents, e.g. by uploading it to a keyserver.
OPTIONS¶
- -u, --userid=EMAIL
- Adds a userid to the key
- -c, --cipher-suite=CIPHER-SUITE [default: cv25519] [possible values: rsa3k, rsa4k, cv25519]
- Selects the cryptographic algorithms for the key
- --with-password
- Protects the key with a password
- --creation-time=CREATION_TIME
- Sets the key's creation time to TIME. TIME is interpreted as an ISO 8601
timestamp. To set the creation time to June 9, 2011 at midnight UTC, you
can do:
$ sq key generate --creation-time 20110609 --export noam.pgp
To include a time, add a T, the time and optionally the timezone (the default timezone is UTC):
$ sq key generate --creation-time 20110609T1938+0200 --export noam.pgp
- --expires=TIME
- Makes the key expire at TIME (as ISO 8601). Use "never" to create keys that do not expire.
- --expires-in=DURATION
- Makes the key expire after DURATION. Either "N[ymwds]", for N years, months, weeks, days, seconds, or "never".
- --can-sign
- Adds a signing-capable subkey (default)
- --cannot-sign
- Adds no signing-capable subkey
- --can-authenticate
- Adds an authentication-capable subkey (default)
- --cannot-authenticate
- Adds no authentication-capable subkey
- --can-encrypt=PURPOSE [possible values: transport, storage, universal]
- Adds an encryption-capable subkey. Encryption-capable subkeys can be marked as suitable for transport encryption, storage encryption, or both. [default: universal]
- --cannot-encrypt
- Adds no encryption-capable subkey
- -e, --export=OUTFILE
- Writes the key to OUTFILE
- --rev-cert=FILE or -
- Writes the revocation certificate to FILE. mandatory if OUTFILE is "-". [default: <OUTFILE>.rev]
- -h, --help
- Print help information
EXAMPLES¶
First, this generates a key
sq key generate --userid "<juliet@example.org>" --export juliet.key.pgp
Then, this extracts the certificate for distribution
sq key extract-cert --output juliet.cert.pgp juliet.key.pgp
Generates a key protecting it with a password
sq key generate --userid "<juliet@example.org>" --with-password
Generates a key with multiple userids
sq key generate --userid "<juliet@example.org>" --userid "Juliet Capulet"
SEE ALSO¶
For the full documentation see <https://docs.sequoia-pgp.org/sq/>.
sq(1) sq-armor(1) sq-autocrypt(1) sq-certify(1) sq-dearmor(1) sq-decrypt(1) sq-encrypt(1) sq-inspect(1) sq-key(1) sq-key-adopt(1) sq-key-attest-certifications(1) sq-key-extract-cert(1) sq-key-password(1) sq-key-userid(1) sq-keyring(1) sq-keyserver(1) sq-packet(1) sq-revoke(1) sq-sign(1) sq-verify(1) sq-wkd(1)
| July 2022 | sq 0.26.0 |