NAME

       sq key subkey - Manage Subkeys

SYNOPSIS

       sq key subkey add [OPTIONS] FILE
       sq key subkey revoke [OPTIONS] SUBKEY REASON MESSAGE

DESCRIPTION

       Manage Subkeys.

       Add new subkeys to an existing key.

SUBCOMMANDS

   sq key subkey add
       Add a newly generated Subkey.

       A subkey has one or more flags. `--can-sign` sets the signing flag, and means that the key
       may be used for signing. `--can-authenticate` sets the  authentication  flags,  and  means
       that  the key may be used for authentication (e.g., as an SSH key). These two flags may be
       combined.

       `--can-encrypt=storage` sets the storage encryption flag, and means that the  key  may  be
       used for storage encryption. `--can-encrypt=transport` sets the transport encryption flag,
       and means that the key may be used for  transport  encryption.   `--can-encrypt=universal`
       sets  both  the  storage  and the transport encryption flag, and means that the key may be
       used for both storage and transport encryption. Only one of the encryption  flags  may  be
       used and it can not be combined with the signing or authentication flag.

       At least one flag must be chosen.

       When  using  `--with-password`,  `sq`  prompts  the  user  for a password, that is used to
       encrypt the subkey.  The password for the subkey may be different from that of the primary
       key.

       Furthermore  the  subkey  may  use  one  of  several  available cipher suites, that can be
       selected using `--cipher-suite`.

       By default a new subkey never expires. However, its validity period is limited by that  of
       the  primary key it is added for.  Using the `--expiry` argument specific validity periods
       may be defined.  It allows for providing a point in time for validity to end or a validity
       duration.

       `sq key subkey add` respects the reference time set by the top-level `--time` argument. It
       sets the creation time of the subkey to the specified time.

   sq key subkey revoke
       Revoke a subkey.

       Creates a revocation certificate for a subkey.

       If `--revocation-file` is provided, then that key is used to  create  the  signature.   If
       that  key  is  different  from  the  certificate being revoked, this creates a third-party
       revocation.  This is normally only useful if the owner of the certificate  designated  the
       key to be a designated revoker.

       If   `--revocation-file`   is   not   provided,   then  the  certificate  must  include  a
       certification-capable key.

       `sq key subkey revoke` respects the reference time set by the top-level `--time` argument.
       When  set,  it  uses the specified time instead of the current time, when determining what
       keys are valid, and it sets the revocation certificate's creation time  to  the  reference
       time instead of the current time.

EXAMPLES

   sq key subkey add
       First, generate a key

              sq key generate --userid '<juliet@example.org>' \
                     --output juliet.key.pgp

       Add  a  new  Subkey for universal encryption which expires at the same time as the primary
       key

              sq key subkey add --output juliet-new.key.pgp \
                     --can-encrypt universal juliet.key.pgp

       Add a new Subkey for signing using the rsa3k cipher suite which expires in five days

              sq key subkey add --output juliet-new.key.pgp --can-sign \
                     --expiry 5d --cipher-suite rsa3k juliet.key.pgp

SEE ALSO

       sq(1), sq-key(1), sq-key-subkey-add(1), sq-key-subkey-revoke(1).

       For the full documentation see <https://book.sequoia-pgp.org>.

VERSION

       0.34.0 (sequoia-openpgp 1.19.0)