Provided by: sq_0.40.0-1_amd64 
NAME
sq key subkey add - Add a new subkey to a certificate
SYNOPSIS
sq key subkey add [OPTIONS]
DESCRIPTION
Add a new subkey to a certificate.
A subkey has one or more capabilities.
`--can-sign` sets the signing capability, and means that the key may be used for signing.
`--can-authenticate` sets the authentication capability, and means that the key may be
used for authentication (e.g., as an SSH key). `--can-certify` sets the certificate
capability, and means that the key may be used to make third-party certifications. These
capabilities may be combined.
`--can-encrypt=storage` sets the storage encryption capability, and means that the key may
be used for storage encryption. `--can-encrypt=transport` sets the transport encryption
capability, and means that the key may be used for transport encryption.
`--can-encrypt=universal` sets both the storage and the transport encryption capability,
and means that the key may be used for both storage and transport encryption. The
encryption capabilities must not be combined with the signing or authentication
capability.
Normally, `sq` prompts the user for a password to use to encrypt the secret key material.
The password for the new subkey may be different from the other keys. When using
`--without-password`, `sq` doesn't prompt for a password, and doesn't password-protect the
subkey.
By default a new subkey doesn't expire on its own. However, its validity period is
limited by that of the certificate. Using the `--expiration` argument allows setting a
different expiration time.
`sq key subkey add` respects the reference time set by the top-level `--time` argument.
It sets the creation time of the subkey to the specified time.
OPTIONS
Subcommand options
--can-authenticate
Add an authentication-capable subkey
--can-encrypt=PURPOSE
Add an encryption-capable subkey.
Encryption-capable subkeys can be marked as suitable for transport encryption,
storage encryption, or both, i.e., universal. [default: universal]
[possible values: transport, storage, universal]
--can-sign
Add a signing-capable subkey
--cert=FINGERPRINT|KEYID
Add a subkey to the key with the specified fingerprint or key ID
--cert-email=EMAIL
Add a subkey to the key where a user ID includes the specified email address
--cert-file=PATH
Add a subkey to the key read from PATH
--cert-userid=USERID
Add a subkey to the key with the specified user ID
--cipher-suite=CIPHER-SUITE
Select the cryptographic algorithms for the subkey
[default: cv25519]
[possible values: rsa2k, rsa3k, rsa4k, cv25519]
--expiration=EXPIRATION
Sets the expiration time.
EXPIRATION is either an ISO 8601 formatted date with an optional time or a custom
duration. A duration takes the form `N[ymwds]`, where the letters stand for years,
months, weeks, days, and seconds, respectively. Alternatively, the keyword `never`
does not set an expiration time.
[default: never]
--new-password-file=PASSWORD_FILE
File containing password to encrypt the secret key material.
Note that the entire key file will be used as the password including any
surrounding whitespace like a trailing newline.
--output=FILE
Write to the specified FILE.
If not specified, and the certificate was read from the certificate store, imports
the modified certificate into the key store. If not specified, and the certificate
was read from a file, writes the modified certificate to stdout.
--without-password
Don't protect the subkey's secret key material with a password
Global options
See sq(1) for a description of the global options.
EXAMPLES
Add a new signing-capable subkey to Alice's key.
sq key subkey add --without-password --can-sign \
--cert=EB28F26E2739A4870ECC47726F0073F60FD0CBF0
SEE ALSO
sq(1), sq-key(1), sq-key-subkey(1).
For the full documentation see <https://book.sequoia-pgp.org>.
VERSION
0.40.0 (sequoia-openpgp 1.21.2)