sq key subkey bind - Bind keys from one certificate to another
sq key subkey bind [OPTIONS]
Bind keys from one certificate to another.
This command allows the user to attach a primary key or a subkey
attached to one certificate to another certificate. Say you want to
transition to a new certificate, but have an authentication subkey on your
current certificate that you want to keep because it allows access a server
and updating its configuration is not feasible. This command makes it easy
to attach the subkey to the new certificate.
After the operation, the key is bound both to the old certificate
and to the new one. To remove secret key material from the old certificate,
use `sq key subkey delete` or `sq key delete`, as appropriate. To revoke the
old subkey or key, use `sq key subkey revoke` or `sq key revoke`,
respectively.
- --allow-broken-crypto
- Allow adopting keys from certificates using broken cryptography
- --can-authenticate
- Set the authentication-capable flag
- --can-encrypt=PURPOSE
- Encryption-capable subkeys can be marked as suitable for transport
encryption, storage encryption, or both, i.e., universal. [default:
universal]
- [possible values: transport, storage, universal]
- --can-sign
- Set the signing-capable flag
- --cannot-authenticate
- Don't set the authentication-capable flag
- --cannot-encrypt
- Don't set the encryption-capable flag
- --cannot-sign
- Don't set the signing-capable flag
- --cert=FINGERPRINT|KEYID
- Add the specified subkeys on the key with the specified fingerprint or key
ID
- --cert-email=EMAIL
- Add the specified subkeys on the key where a user ID includes the
specified email address
- --cert-file=PATH
- Add the specified subkeys to the key read from PATH
- --cert-userid=USERID
- Add the specified subkeys on the key with the specified user ID
- --creation-time=CREATION_TIME
- Make bound subkeys have the specified creation time.
- Normally, the key's creation time is preserved. The exception is if the
key's creation time is the Unix epoch. In that case, the current time is
used.
- This option allows setting the key's creation time to a specified value.
Note: changing a key's creation time also changes its fingerprint.
Changing the fingerprint will make it impossible to look up the key for
the purpose of signature verification, for example.
- --expiration=EXPIRATION
- Sets the expiration time.
- EXPIRATION is either an ISO 8601 formatted date with an optional time or a
custom duration. A duration takes the form `N[ymwds]`, where the letters
stand for years, months, weeks, days, and seconds, respectively.
Alternatively, the keyword `never` does not set an expiration time.
- [default: never]
- --key=KEY
- Add the key or subkey KEY to the certificate
- --output=FILE
- Write to the specified FILE.
- If not specified, and the certificate was read from the certificate store,
imports the modified certificate into the cert store. If not specified,
and the certificate was read from a file, writes the modified certificate
to stdout.
See sq(1) for a description of the global options.
Bind Alice's old authentication subkey to Alice's new
certificate.
--cert=C5999E8191BF7B503653BE958B1F7910D01F86E5 \
--key=0D45C6A756A038670FDFD85CB1C82E8D27DB23A1
Bind a bare key to Alice's certificate. A bare key is a public key
without any components or signatures. This simplifies working with raw keys,
e.g., keys generated on an OpenPGP card, a TPM device, etc.
sq key subkey bind --keyring=bare.pgp \
--cert=C5999E8191BF7B503653BE958B1F7910D01F86E5 \
--key=B321BA8F650CB16443E06826DBFA98A78CF6562F \
sq(1), sq-key(1), sq-key-subkey(1).
For the full documentation see
<https://book.sequoia-pgp.org>.
0.40.0 (sequoia-openpgp 1.21.2)