NAME

       sq - A command-line frontend for Sequoia, an implementation of OpenPGP

       Functionality  is  grouped  and available using subcommands.  Currently, this interface is
       completely stateless.  Therefore, you need to supply all  configuration  and  certificates
       explicitly on each invocation.

       OpenPGP  data  can  be  provided  in  binary  or ASCII armored form.  This will be handled
       automatically.  Emitted OpenPGP data is ASCII armored by default.

       We use the term "certificate", or cert for short, to refer to OpenPGP  keys  that  do  not
       contain  secrets.   Conversely,  we  use  the  term "key" to refer to OpenPGP keys that do
       contain secrets.

SYNOPSIS

       sq [FLAGS] [OPTIONS] <SUBCOMMAND>

FLAGS

       -h, --help
              Prints help information

       -V, --version
              Prints version information

       -f, --force
              Overwrites existing files

OPTIONS

       --known-notation NOTATION
              Adds NOTATION to the  list  of  known  notations.  This  is  used  when  validating
              signatures.  Signatures  that  have unknown notations with the critical bit set are
              considered invalid.

SUBCOMMANDS

       help   Prints this message or the help of the given subcommand(s)

       decrypt
              Decrypts a message

              Decrypts a message using either supplied keys, or by prompting for a password.   If
              message tampering is detected, an error is returned.  See below for details.

              If  certificates are supplied using the "--signer-cert" option, any signatures that
              are found are checked using these certificates.  Verification is only successful if
              there  is  no  bad  signature,  and  the number of successfully verified signatures
              reaches the threshold configured with the "--signatures" parameter.

              If the signature verification fails, or  if  message  tampering  is  detected,  the
              program  terminates  with  an exit status indicating failure.  In addition to that,
              the last 25 MiB of the message are withheld, i.e. if the message is smaller than 25
              MiB, no output is produced, and if it is larger, then the output will be truncated.

              The converse operation is "sq encrypt".

       encrypt
              Encrypts a message

              Encrypts  a  message for any number of recipients and with any number of passwords,
              optionally signing the message in the process.

              The converse operation is "sq decrypt".

       sign   Signs messages or data files

              Creates signed messages or detached signatures.  Detached signatures are often used
              to sign software packages.

              The converse operation is "sq verify".

       verify Verifies signed messages or detached signatures

              When  verifying signed messages, the message is written to stdout or the file given
              to --output.

              When a detached message is verified, no output is  produced.   Detached  signatures
              are often used to sign software packages.

              Verification  is  only  successful  if there is no bad signature, and the number of
              successfully  verified  signatures  reaches  the  threshold  configured  with   the
              "--signatures"  parameter.   If the verification fails, the program terminates with
              an exit status indicating failure.  In addition to that, the last  25  MiB  of  the
              message  are  withheld,  i.e.  if  the message is smaller than 25 MiB, no output is
              produced, and if it is larger, then the output will be truncated.

              The converse operation is "sq sign".

       armor  Converts binary to ASCII

              To make encrypted data  easier  to  handle  and  transport,  OpenPGP  data  can  be
              transformed  to  an ASCII representation called ASCII Armor.  sq emits armored data
              by default, but this subcommand can be used to convert existing OpenPGP data to its
              ASCII-encoded representation.

              The converse operation is "sq dearmor".

       dearmor
              Converts ASCII to binary

              To  make  encrypted  data  easier  to  handle  and  transport,  OpenPGP data can be
              transformed to an  ASCII  representation  called  ASCII  Armor.   sq  transparently
              handles  armored  data,  but  this  subcommand  can  be  used to explicitly convert
              existing ASCII-encoded OpenPGP data to its binary representation.

              The converse operation is "sq armor".

       inspect
              Inspects data, like file(1)

              It is often difficult to tell from cursory inspection using cat(1) or file(1)  what
              kind  of OpenPGP one is looking at.  This subcommand inspects the data and provides
              a meaningful human-readable description of it.

       key    Manages keys

              We use the term "key" to refer to OpenPGP  keys  that  do  contain  secrets.   This
              subcommand provides primitives to generate and otherwise manipulate keys.

              Conversely,  we  use the term "certificate", or cert for short, to refer to OpenPGP
              keys that do not contain secrets.  See "sq keyring" for operations on certificates.

       keyring
              Manages collections of keys or certs

              Collections of keys or certficicates (also known as "keyrings"  when  they  contain
              secret   key  material,  and  "certrings"  when  they  don't)  are  any  number  of
              concatenated certificates.  This subcommand provides tools to  list,  split,  join,
              merge, and filter keyrings.

              Note:  In the documentation of this subcommand, we sometimes use the terms keys and
              certs interchangeably.

       certify
              Certifies a User ID for a Certificate

              Using a certification a keyholder may vouch for the fact that  another  certificate
              legitimately  belongs  to  a user id.  In the context of emails this means that the
              same entity controls the key and the email address.  These kind  of  certifications
              form the basis for the Web Of Trust.

              This  command  emits  the  certificate  with  the  new  certification.  The updated
              certificate has to be distributed, preferably by  sending  it  to  the  certificate
              holder for attestation.  See also "sq key attest-certification".

       packet Low-level packet manipulation

              An  OpenPGP data stream consists of packets.  These tools allow working with packet
              streams.  They are mostly of interest to developers, but "sq packet  dump"  may  be
              helpful  to a wider audience both to provide valuable information in bug reports to
              OpenPGP-related software, and as a learning tool.

       autocrypt
              Communicates certificates using Autocrypt

              Autocrypt is a standard for mail  user  agents  to  provide  convenient  end-to-end
              encryption  of  emails.   This  subcommand  provides  a  limited way to produce and
              consume headers that are used by  Autocrypt  to  communicate  certificates  between
              clients.

              See https://autocrypt.org/

SEE ALSO

       For the full documentation see <https://docs.sequoia-pgp.org/sq/>.

       sq(1), sq-armor(1), sq-autocrypt(1), sq-certify(1), sq-dearmor(1), sq-decrypt(1),
       sq-encrypt(1), sq-inspect(1), sq-key(1), sq-keyring(1), sq-packet(1), sq-sign(1),
       sq-verify(1)

AUTHORS

         Azul <azul@sequoia-pgp.org>
         Igor Matuszewski <igor@sequoia-pgp.org>
         Justus Winter <justus@sequoia-pgp.org>
         Kai Michaelis <kai@sequoia-pgp.org>
         Neal H. Walfield <neal@sequoia-pgp.org>
         Nora Widdecke <nora@sequoia-pgp.org>
         Wiktor Kwapisiewicz <wiktor@sequoia-pgp.org>