git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
clevis
1
0
Fork 0
Files Pull Requests 0
Tree: 34dcba0b61
Branches Tags
clevis
/
src
/
pins
/
tang
/
clevis-encrypt-tang.1.adoc

clevis-encrypt-tang.1.adoc 2.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081 
  1. CLEVIS-ENCRYPT-TANG(1)
    2. 

  2. ======================
    3. 

  3. :doctype: manpage
    4. 

  4. 

  5. 

  6. == NAME
    7. 

  7. 

  8. clevis-encrypt-tang - Encrypts using a Tang binding server policy
    9. 

  9. 

  10. == SYNOPSIS
    11. 

  11. 

  12. *clevis encrypt tang* CONFIG < PT > JWE
    13. 

  13. 

  14. == OVERVIEW
    15. 

  15. 

  16. The *clevis encrypt tang* command encrypts using a Tang binding server policy.
    17. 

  17. Its only argument is the JSON configuration object.
    18. 

  18. 

  19. Clevis provides support for the Tang network binding server. Tang provides
    20. 

  20. a stateless, lightweight alternative to escrows. Encrypting data using the
    21. 

  21. Tang pin works like this:
    22. 

  22. 

  23.     $ clevis encrypt tang '{"url":"http://tang.srv"}' < PT > JWE
    24. 

  24.     The advertisement contains the following signing keys:
    25. 

  25. 

  26.     _OsIk0T-E2l6qjfdDiwVmidoZjA
    27. 

  27. 

  28.     Do you wish to trust these keys? [ynYN] y
    29. 

  29. 

  30. To decrypt the data, just pass it to the *clevis decrypt* command:
    31. 

  31. 

  32.     $ clevis decrypt < JWE > PT
    33. 

  33. 

  34. As you can see above, Tang utilizes a trust-on-first-use workflow. If you
    35. 

  35. already know the thumbprint of a trusted key, you can specify it in the
    36. 

  36. configuration at encryption time:
    37. 

  37. 

  38.     $ cfg='{"url":"http://tang.srv","thp":"_OsIk0T-E2l6qjfdDiwVmidoZjA"}'
    39. 

  39.     $ clevis encrypt tang "$cfg" < PT > JWE
    40. 

  40. 

  41. Obtaining the thumbprint of a trusted signing key is easy. If you
    42. 

  42. have access to the Tang server, simply execute:
    43. 

  43. 

  44.     $ tang-show-keys <PORT>
    45. 

  45. 

  46. where <PORT> is the port that the Tang server is listening on.
    47. 

  47. 

  48. If *tang-show-keys* is not available, but you have access to the Tang
    49. 

  49. server's database directory, you can execute this instead:
    50. 

  50. 

  51.     $ jose jwk thp -i $DBDIR/$SIG.jwk
    52. 

  52. 

  53. Tang can also perform entirely offline encryption if you pre-share the server
    54. 

  54. advertisement. You can fetch the advertisement with a simple command (just be
    55. 

  55. careful your network isn't compromised!):
    56. 

  56. 

  57.     $ curl -f $URL/adv > adv.jws
    58. 

  58. 

  59. Once you have the advertisement file, just provide it:
    60. 

  60. 

  61.     $ clevis encrypt tang '{"url":...,"adv":"adv.jws"}' < PT > JWE
    62. 

  62. 

  63. == CONFIG
    64. 

  64. 

  65. This command uses the following configuration properties:
    66. 

  66. 

  67. * *url* (string) :
    68. 

  68.   The base URL of the Tang server (REQUIRED)
    69. 

  69. 

  70. * *thp* (string) :
    71. 

  71.   The thumbprint of a trusted signing key
    72. 

  72. 

  73. * *adv* (string) :
    74. 

  74.   A filename containing a trusted advertisement
    75. 

  75. 

  76. * *adv* (object) :
    77. 

  77.   A trusted advertisement (raw JSON)
    78. 

  78. 

  79. == SEE ALSO
    80. 

  80. 

  81. link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
    82.