Sequoia-PGP Cheatsheet

Updated on 2026-03-26

For a start, sq has a very supportive help integrated. Simply add a --help and you’ll get exactly that displayed. Some explanations, the necessary options and switches and some usage examples at the and. Thus usually, right after asking for help, you’ll find yourself copying the examples.

Thus, the main contribution of this text is to introduce the necessary subcommands and examples organized along the usual functions you’ll require. That is: you will want to generate keys, import or retrieve keys from communication partners, and occassionally you’d provide some certification to the web-of-trust.

Test Environment

Generating Keys

sq key generate --own-key [--can-authenticate] [--can-sign] [--can-encrypt <usage>] --email '<email>' --name '<Name>'

where <usage> is transport for encrypting communication (e.g. emails).

The can-switches will each add a subkey (without an individual expiration time, you can add it with sq key subkey expire) for signatures, encryption or authentication. You can always add further sub-keys with the command

sq key subkey add <--can-X> --cert=<KEYID>

(You might already get the feeling, that the CLI is actually quite well designed. All the commands somewhat seem natural — at least to me.)

Sending and Retrieving Certificates

The subcommands you are looking for are:

sq cert export [selection options] --output <filename>

for exporting your certified/signed public keys into a file, e.g. to send them to someone or publish them on your webpage1.The output file name often consists of the hash of the primary key and ’‘.asc’’ for “ASCII-encoded’.

Publishing Your Public Key (aka Certificate)

You may also upload your certs to a keyserver, which is the oldest and still widely used way to publish your public keys. Instead of selecting your key by ID, you could use other selectors. This will send the selected certificate to a list of known keyservers. You might be asked via email to confirm this.

sq network keyserver publish --cert=<ID>

Instead of keyserver you could also publish your keys in a Web Key Directory or the Domain Name System2 using DANE3.

Importing Public Keys

To establish secure communications you’ll need to retrieve authentic public keys of your communication partners. This can either happen if they send you your keys or by searching5 keys in the internet.

Importing a certificate (or private key) is easy, simply pipe it into

sq cert import

or

sq key import

And similarily you probably will have guessed correctly how you’ll retrieve keys from keyservers, DANE or WKD:

sq network <keyserver|dane|wkd> search <email>

To make things easier you could also leave the choice of network empty, which makes sq search all three.

Selectors

By “selectors” I denote options like --cert that help to identify the items (keys or certificates) that are affected by a command. I have found the following switches in different help-pages: cert, email, name, and userid.

To be continued…

Thunderbird

Remarks

  1. Mental note: update my certificate on my contact page
  2. Specified in RFC 1034 and RFC 1035 from 1987. One of the toughest survivors of the Internet Standards, often updated (eg. by DANE3, but never obsoleted.
  3. By which I obviously refer toRFC 6698: DNS2-Based Authentication of Named Entities.4
  4. Don’t you also just love recursive footnotes?
  5. …and finding(!), mind you…