1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 |
- .\" Automatically generated by Pandoc 1.19.1
- .\"
- .TH "CLEVIS\-ENCRYPT\-SSS" "1" "Sepember 2017" "" ""
- .hy
- .SH NAME
- .PP
- clevis\-encrypt\-sss \-\- Encrypts using a Shamir\[aq]s Secret Sharing
- policy
- .SH SYNOPSIS
- .PP
- \f[C]clevis\ encrypt\ sss\f[] CONFIG < PT > JWE
- .SH OVERVIEW
- .PP
- The \f[C]clevis\ encrypt\ sss\f[] command encrypts using a Shamir\[aq]s
- Secret Sharing policy.
- Its only argument is the JSON configuration object.
- .PP
- Shamir\[aq]s Secret Sharing (SSS) provides a way to mix pins together to
- create sophisticated unlocking and high availability policies.
- SSS is a thresholding scheme.
- It creates a key and divides it into a number of pieces.
- Each piece is encrypted using another pin (possibly even SSS
- recursively).
- Additionally, you define the threshold \f[C]t\f[].
- If at least \f[C]t\f[] pieces can be decrypted, then the encryption key
- can be recovered and decryption can succeed.
- .PP
- For example, let\[aq]s create a high\-availability setup using Tang:
- .IP
- .nf
- \f[C]
- $\ cfg=\[aq]{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}\[aq]
- $\ clevis\ encrypt\ sss\ "$cfg"\ <\ PT\ >\ JWE
- \f[]
- .fi
- .PP
- In this policy, we are declaring that we have a threshold of 1, but that
- there are multiple key fragments encrypted using different Tang servers.
- Since our threshold is 1, so long as any of the Tang servers are
- available, decryption will succeed.
- As always, decryption is simply:
- .IP
- .nf
- \f[C]
- $\ clevis\ decrypt\ <\ JWE\ >\ PT
- \f[]
- .fi
- .SH CONFIG
- .PP
- This command uses the following configuration properties:
- .IP \[bu] 2
- \f[C]t\f[] (integer) : Number of pins required for decryption (REQUIRED)
- .IP \[bu] 2
- \f[C]pins\f[] (object) : Pins used for encrypting fragments (REQUIRED)
- .PP
- The format of the \f[C]pins\f[] property is as follows:
- .IP
- .nf
- \f[C]
- {PIN:CFG,...}\ OR\ {PIN:[CFG,CFG,...],...}
- \f[]
- .fi
- .PP
- When the list version of the format is used, multiple pins of that type
- will receive key fragments.
- .SH SEE ALSO
- .PP
- \f[C]clevis\-encrypt\-http\f[](1), \f[C]clevis\-encrypt\-tang\f[](1),
- \f[C]clevis\-decrypt\f[](1)
- .SH AUTHORS
- Nathaniel McCallum <npmccallum@redhat.com>.
|