Creating a key

Key generation

Generate a key

You can generate keys with different parameters for different purposes. The default settings include an expiration of three years and elliptic curves as cryptographic algorithm. These settings can be modified.

It is not possible to explicitly generate a certificate; you only ever generate a key, as a certificate is always a part of a key containing only public key material.

The sq key generate command is a stateful operation which imports the key directly into the key store. If you want to avoid this, you could also use the --output option to specify a location for the key file. The co-generated emergency revocation file will automatically be stored in $HOME/.local/share/sequoia/revocation-certificates (see 'File structure and backup' for more information) if you don't specify a different location.

You don't have to separate different User IDs, but could instead combine them to one statement --userid 'alice <alice@example.com>'. However, this is not the recommended practice. Instead, Sequoia suggests having separate User IDs for name and email address, which allows them to be certified or revoked separately.

$ sq key generate --own-key --name "Alice Example" --email alice@example.com

This example generates a key with the two User IDs Alice Example and <alice@example.com>. --own-key tells sq to promote the new key as an unconstrained trust introducer. If you plan to share the key (for instance to use it as a group key), use --shared-key instead. This way, the new key will not be made a trust introducer.

You can use sq pki link {add | authorize | retract} to change the trust introducer state at a later time.

For understanding in detail what sq pki link does, see 'Authenticating certificates'.

Choosing a cipher-suite

The default cipher suite that sq uses when generating a key is cv25519. To select a specific suite, use --cipher-suite with one of the following options:

rsa2k RSA with 2048 bits

rsa3k RSA with 3072 bits

rsa4k RSA with 4096 bits

cv25519 Elliptic curve of the same name with 256 bits (default)

For example:

$ sq key generate --own-key --name "Alice Example" --email alice@example.com  --cipher-suite rsa4k

RSA keys are very common, and may be the only option when dealing with legacy systems, but elliptic curve keys are smaller, faster, and stronger for their size, so using them as the default is a sensible choice.

Opting out of password protection

The default settings for generating a key include setting a password on the key material, which is requested from the user after entering the sq key generate command. To create a key without password protection, specify the --without-password option.

$ sq key generate --own-key --name "Alice Example" --email alice@example.com --without-password

Choose expiration time

The default setting is an expiration time of three years. To define a different one, you can either choose any ISO 8601 date string (like 2038-01-19) or a custom duration using N[ymwds] (a number followed by a letter denoting years, months, weeks, days or seconds, so 2y represents 2 years). Both options can also use a reference time using --time. You can also change the expiration date of an existing key to advance or shorten the expiration; see 'Maintaining a key' for more information. For more thoughts on why setting an expiration date is a useful thing, see 'Key expiration'.

$ sq key generate --own-key --name "Alice Example" --email alice@example.com --expiration 2y

All of these key generating options shown above can be used at once:

$ sq key generate --own-key --name "Alice Example" --email alice@example.com --expiration 2y --cipher-suite rsa4k

Generating v6 keys

Version 6 (v6) keys were introduced in RFC9580, which is implemented in version 2.0.0 of Sequoia PGP and used by sq since version 1.3.0. To generate a v6 key, use the --profile option:

$ sq key generate --profile rfc9580 ...

Available values are rfc4880 and rfc9580. rfc4880 is the default value, which causes sq to generate a v4 key.