1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495 |
- .\" Automatically generated by Pandoc 1.19.1
- .\"
- .TH "CLEVIS\-ENCRYPT\-TANG" "1" "September 2017" "" ""
- .hy
- .SH NAME
- .PP
- clevis\-encrypt\-tang \-\- Encrypts using a Tang binding server policy
- .SH SYNOPSIS
- .PP
- \f[C]clevis\ encrypt\ tang\f[] CONFIG < PT > JWE
- .SH OVERVIEW
- .PP
- The \f[C]clevis\ encrypt\ tang\f[] command encrypts using a Tang binding
- server policy.
- Its only argument is the JSON configuration object.
- .PP
- Clevis provides support for the Tang network binding server.
- Tang provides a stateless, lightweight alternative to escrows.
- Encrypting data using the Tang pin works like this:
- .IP
- .nf
- \f[C]
- $\ clevis\ encrypt\ tang\ \[aq]{"url":"http://tang.srv"}\[aq]\ <\ PT\ >\ JWE
- The\ advertisement\ contains\ the\ following\ signing\ keys:
- _OsIk0T\-E2l6qjfdDiwVmidoZjA
- Do\ you\ wish\ to\ trust\ these\ keys?\ [ynYN]\ y
- \f[]
- .fi
- .PP
- To decrypt the data, just pass it to the \f[C]clevis\ decrypt\f[]
- command:
- .IP
- .nf
- \f[C]
- $\ clevis\ decrypt\ <\ JWE\ >\ PT
- \f[]
- .fi
- .PP
- As you can see above, Tang utilizes a trust\-on\-first\-use workflow.
- If you already know the thumbprint of a trusted key, you can specify it
- in the configuration at encryption time:
- .IP
- .nf
- \f[C]
- $\ cfg=\[aq]{"url":"http://tang.srv","thp":"_OsIk0T\-E2l6qjfdDiwVmidoZjA"}\[aq]
- $\ clevis\ encrypt\ tang\ "$cfg"\ <\ PT\ >\ JWE
- \f[]
- .fi
- .PP
- Obtaining the thumbprint of a trusted signing key is easy.
- If you have access to the Tang server\[aq]s database directory, simply
- do:
- .IP
- .nf
- \f[C]
- $\ jose\ jwk\ thp\ \-i\ $DBDIR/$SIG.jwk\
- \f[]
- .fi
- .PP
- Tang can also perform entirely offline encryption if you pre\-share the
- server advertisement.
- You can fetch the advertisement with a simple command (just be careful
- your network isn\[aq]t compromised!):
- .IP
- .nf
- \f[C]
- $\ curl\ \-f\ $URL/adv\ >\ adv.jws
- \f[]
- .fi
- .PP
- Once you have the advertisement file, just provide it:
- .IP
- .nf
- \f[C]
- $\ clevis\ encrypt\ tang\ \[aq]{"url":...,"adv":"adv.jws"}\[aq]\ <\ PT\ >\ JWE
- \f[]
- .fi
- .SH CONFIG
- .PP
- This command uses the following configuration properties:
- .IP \[bu] 2
- \f[C]url\f[] (string) : The base URL of the Tang server (REQUIRED)
- .IP \[bu] 2
- \f[C]thp\f[] (string) : The thumbprint of a trusted signing key
- .IP \[bu] 2
- \f[C]adv\f[] (string) : A filename containing a trusted advertisement
- .IP \[bu] 2
- \f[C]adv\f[] (object) : A trusted advertisement (raw JSON)
- .SH SEE ALSO
- .PP
- \f[C]clevis\-decrypt\f[](1)
- .SH AUTHORS
- Nathaniel McCallum <npmccallum@redhat.com>.
|