.\" Automatically generated by Pandoc 1.19.1 .\" .TH "CLEVIS\-ENCRYPT\-TANG" "1" "September 2017" "" "" .hy .SH NAME .PP clevis\-encrypt\-tang \-\- Encrypts using a Tang binding server policy .SH SYNOPSIS .PP \f[C]clevis\ encrypt\ tang\f[] CONFIG < PT > JWE .SH OVERVIEW .PP The \f[C]clevis\ encrypt\ tang\f[] command encrypts using a Tang binding server policy. Its only argument is the JSON configuration object. .PP Clevis provides support for the Tang network binding server. Tang provides a stateless, lightweight alternative to escrows. Encrypting data using the Tang pin works like this: .IP .nf \f[C] $\ clevis\ encrypt\ tang\ \[aq]{"url":"http://tang.srv"}\[aq]\ <\ PT\ >\ JWE The\ advertisement\ contains\ the\ following\ signing\ keys: _OsIk0T\-E2l6qjfdDiwVmidoZjA Do\ you\ wish\ to\ trust\ these\ keys?\ [ynYN]\ y \f[] .fi .PP To decrypt the data, just pass it to the \f[C]clevis\ decrypt\f[] command: .IP .nf \f[C] $\ clevis\ decrypt\ <\ JWE\ >\ PT \f[] .fi .PP As you can see above, Tang utilizes a trust\-on\-first\-use workflow. If you already know the thumbprint of a trusted key, you can specify it in the configuration at encryption time: .IP .nf \f[C] $\ cfg=\[aq]{"url":"http://tang.srv","thp":"_OsIk0T\-E2l6qjfdDiwVmidoZjA"}\[aq] $\ clevis\ encrypt\ tang\ "$cfg"\ <\ PT\ >\ JWE \f[] .fi .PP Obtaining the thumbprint of a trusted signing key is easy. If you have access to the Tang server\[aq]s database directory, simply do: .IP .nf \f[C] $\ jose\ jwk\ thp\ \-i\ $DBDIR/$SIG.jwk\ \f[] .fi .PP Tang can also perform entirely offline encryption if you pre\-share the server advertisement. You can fetch the advertisement with a simple command (just be careful your network isn\[aq]t compromised!): .IP .nf \f[C] $\ curl\ \-f\ $URL/adv\ >\ adv.jws \f[] .fi .PP Once you have the advertisement file, just provide it: .IP .nf \f[C] $\ clevis\ encrypt\ tang\ \[aq]{"url":...,"adv":"adv.jws"}\[aq]\ <\ PT\ >\ JWE \f[] .fi .SH CONFIG .PP This command uses the following configuration properties: .IP \[bu] 2 \f[C]url\f[] (string) : The base URL of the Tang server (REQUIRED) .IP \[bu] 2 \f[C]thp\f[] (string) : The thumbprint of a trusted signing key .IP \[bu] 2 \f[C]adv\f[] (string) : A filename containing a trusted advertisement .IP \[bu] 2 \f[C]adv\f[] (object) : A trusted advertisement (raw JSON) .SH SEE ALSO .PP \f[C]clevis\-decrypt\f[](1) .SH AUTHORS Nathaniel McCallum .