Provided by: sq_0.37.0-1_amd64 
NAME
sq key subkey add - Add a newly generated Subkey
SYNOPSIS
sq key subkey add [OPTIONS] FILE
DESCRIPTION
Add a newly generated Subkey.
A subkey has one or more flags. `--can-sign` sets the signing flag, and means that the key may be used
for signing. `--can-authenticate` sets the authentication flags, and means that the key may be used for
authentication (e.g., as an SSH key). These two flags may be combined.
`--can-encrypt=storage` sets the storage encryption flag, and means that the key may be used for storage
encryption. `--can-encrypt=transport` sets the transport encryption flag, and means that the key may be
used for transport encryption. `--can-encrypt=universal` sets both the storage and the transport
encryption flag, and means that the key may be used for both storage and transport encryption. Only one
of the encryption flags may be used and it can not be combined with the signing or authentication flag.
At least one flag must be chosen.
When using `--with-password`, `sq` prompts the user for a password, that is used to encrypt the subkey.
The password for the subkey may be different from that of the primary key.
Furthermore the subkey may use one of several available cipher suites, that can be selected using
`--cipher-suite`.
By default a new subkey never expires. However, its validity period is limited by that of the primary key
it is added for. Using the `--expiry` argument specific validity periods may be defined. It allows for
providing a point in time for validity to end or a validity duration.
`sq key subkey add` respects the reference time set by the top-level `--time` argument. It sets the
creation time of the subkey to the specified time.
OPTIONS
Subcommand options
-B, --binary
Emit binary data
-c, --cipher-suite=CIPHER-SUITE
Select the cryptographic algorithms for the subkey
--can-authenticate
Add authentication capability to subkey
--can-encrypt=PURPOSE
Add an encryption capability to subkey. Encryption-capable subkeys can be marked as suitable for
transport encryption, storage encryption, or both, i.e., universal. [default: universal]
--can-sign
Add signing capability to subkey
--expiry=EXPIRY
Define EXPIRY for the subkey as ISO 8601 formatted string or custom duration. If an ISO 8601
formatted string is provided, the validity period reaches from the reference time (may be set
using `--time`) to the provided time. Custom durations starting from the reference time may be set
using `N[ymwds]`, for N years, months, weeks, days, or seconds. The special keyword `never` sets
an unlimited expiry.
-o, --output=FILE
Write to FILE or stdout if omitted
--private-key-store=KEY_STORE
Provide parameters for private key store
--with-password
Protect the subkey with a password
FILE Read from FILE or stdin if omitted
Global options
See sq(1) for a description of the global options.
EXAMPLES
First, generate a key
sq key generate --userid '<juliet@example.org>' \
--output juliet.key.pgp
Add a new Subkey for universal encryption which expires at the same time as the primary key
sq key subkey add --output juliet-new.key.pgp \
--can-encrypt universal juliet.key.pgp
Add a new Subkey for signing using the rsa3k cipher suite which expires in five days
sq key subkey add --output juliet-new.key.pgp --can-sign \
--expiry 5d --cipher-suite rsa3k juliet.key.pgp
SEE ALSO
sq(1), sq-key(1), sq-key-subkey(1).
For the full documentation see <https://book.sequoia-pgp.org>.
VERSION
0.34.0 (sequoia-openpgp 1.19.0)