clevis-encrypt-sss.1.adoc 1.8 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758
  1. CLEVIS-ENCRYPT-SSS(1)
  2. =====================
  3. :doctype: manpage
  4. == NAME
  5. clevis-encrypt-sss - Encrypts using a Shamir's Secret Sharing policy
  6. == SYNOPSIS
  7. *clevis encrypt sss* CONFIG < PT > JWE
  8. == OVERVIEW
  9. The *clevis encrypt sss* command encrypts using a Shamir's Secret Sharing
  10. policy. Its only argument is the JSON configuration object.
  11. Shamir's Secret Sharing (SSS) provides a way to mix pins together to create
  12. sophisticated unlocking and high availability policies. SSS is a thresholding
  13. scheme. It creates a key and divides it into a number of pieces. Each piece is
  14. encrypted using another pin (possibly even SSS recursively). Additionally,
  15. you define the threshold *t*. If at least *t* pieces can be decrypted, then
  16. the encryption key can be recovered and decryption can succeed.
  17. For example, let's create a high-availability setup using Tang:
  18. $ cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}'
  19. $ clevis encrypt sss "$cfg" < PT > JWE
  20. In this policy, we are declaring that we have a threshold of 1, but that there
  21. are multiple key fragments encrypted using different Tang servers. Since our
  22. threshold is 1, so long as any of the Tang servers are available, decryption
  23. will succeed. As always, decryption is simply:
  24. $ clevis decrypt < JWE > PT
  25. == CONFIG
  26. This command uses the following configuration properties:
  27. * *t* (integer) :
  28. Number of pins required for decryption (REQUIRED)
  29. * *pins* (object) :
  30. Pins used for encrypting fragments (REQUIRED)
  31. The format of the *pins* property is as follows:
  32. {PIN:CFG,...} OR {PIN:[CFG,CFG,...],...}
  33. When the list version of the format is used, multiple pins of that type will
  34. receive key fragments.
  35. == SEE ALSO
  36. link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
  37. link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]