git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
clevis
1
0
Fork 0
Files Pull Requests 0
Tree: b50a10d130
Branches Tags
clevis
/
doc
/
clevis.1

clevis.1 4.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157 
  1. .\" Automatically generated by Pandoc 1.19.1
    2. 

  2. .\"
    3. 

  3. .TH "CLEVIS" "1" "Sepember 2017" "" ""
    4. 

  4. .hy
    5. 

  5. .SH NAME
    6. 

  6. .PP
    7. 

  7. clevis \-\- Automated decryption policy framework
    8. 

  8. .SH SYNOPSIS
    9. 

  9. .PP
    10. 

  10. \f[C]clevis\f[] COMMAND [OPTIONS]
    11. 

  11. .SH OVERVIEW
    12. 

  12. .PP
    13. 

  13. Clevis is a framework for automated decryption policy.
    14. 

  14. It allows you to define a policy at encryption time that must be
    15. 

  15. satisfied for the data to decrypt.
    16. 

  16. Once this policy is met, the data is decrypted.
    17. 

  17. .PP
    18. 

  18. Clevis is pluggable.
    19. 

  19. Our plugins are called pins.
    20. 

  20. The job of a pin is to take a policy as its first argument and plaintext
    21. 

  21. on standard input and to encrypt the data so that it can be
    22. 

  22. automatically decrypted if the policy is met.
    23. 

  23. Lets walk through an example.
    24. 

  24. .SH HTTP ESCROW
    25. 

  25. .PP
    26. 

  26. When using the HTTP pin, we create a new, cryptographically\-strong,
    27. 

  27. random key.
    28. 

  28. This key is stored in a remote HTTP escrow server (using a simple PUT or
    29. 

  29. POST).
    30. 

  30. Then at decryption time, we attempt to fetch the key back again in order
    31. 

  31. to decrypt our data.
    32. 

  32. So, for our configuration we need to pass the URL to the key location:
    33. 

  33. .IP
    34. 

  34. .nf
    35. 

  35. \f[C]
    36. 

  36. $\ clevis\ encrypt\ http\ \[aq]{"url":"https://escrow.srv/1234"}\[aq]\ <\ PT\ >\ JWE
    37. 

  37. \f[]
    38. 

  38. .fi
    39. 

  39. .PP
    40. 

  40. To decrypt the data, simply provide the ciphertext (JWE):
    41. 

  41. .IP
    42. 

  42. .nf
    43. 

  43. \f[C]
    44. 

  44. $\ clevis\ decrypt\ <\ JWE\ >\ PLAINTEXT
    45. 

  45. \f[]
    46. 

  46. .fi
    47. 

  47. .PP
    48. 

  48. Notice that we did not pass any configuration during decryption.
    49. 

  49. The decrypt command extracted the URL (and possibly other configuration)
    50. 

  50. from the JWE object, fetched the encryption key from the escrow and
    51. 

  51. performed decryption.
    52. 

  52. .PP
    53. 

  53. For more information, see \f[C]clevis\-encrypt\-http\f[](1).
    54. 

  54. .SH TANG BINDING
    55. 

  55. .PP
    56. 

  56. Clevis provides support for the Tang network binding server.
    57. 

  57. Tang provides a stateless, lightweight alternative to escrows.
    58. 

  58. Encrypting data using the Tang pin works much like our HTTP pin above:
    59. 

  59. .IP
    60. 

  60. .nf
    61. 

  61. \f[C]
    62. 

  62. $\ clevis\ encrypt\ tang\ \[aq]{"url":"http://tang.srv"}\[aq]\ <\ PT\ >\ JWE
    63. 

  63. The\ advertisement\ contains\ the\ following\ signing\ keys:
    64. 

  64. 

  65. _OsIk0T\-E2l6qjfdDiwVmidoZjA
    66. 

  66. 

  67. Do\ you\ wish\ to\ trust\ these\ keys?\ [ynYN]\ y
    68. 

  68. \f[]
    69. 

  69. .fi
    70. 

  70. .PP
    71. 

  71. As you can see above, Tang utilizes a trust\-on\-first\-use workflow.
    72. 

  72. Alternatively, Tang can perform entirely offline encryption if you
    73. 

  73. pre\-share the server advertisement.
    74. 

  74. Decryption, too works like our first example:
    75. 

  75. .IP
    76. 

  76. .nf
    77. 

  77. \f[C]
    78. 

  78. $\ clevis\ decrypt\ <\ JWE\ >\ PT
    79. 

  79. \f[]
    80. 

  80. .fi
    81. 

  81. .PP
    82. 

  82. For more information, see \f[C]clevis\-encrypt\-tang\f[](1).
    83. 

  83. .SH SHAMIR\[aq]S SECRET SHARING
    84. 

  84. .PP
    85. 

  85. Clevis provides a way to mix pins together to create sophisticated
    86. 

  86. unlocking and high availability policies.
    87. 

  87. This is accomplished by using an algorithm called Shamir\[aq]s Secret
    88. 

  88. Sharing (SSS).
    89. 

  89. .PP
    90. 

  90. SSS is a thresholding scheme.
    91. 

  91. It creates a key and divides it into a number of pieces.
    92. 

  92. Each piece is encrypted using another pin (possibly even SSS
    93. 

  93. recursively).
    94. 

  94. Additionally, you define the threshold \f[C]t\f[].
    95. 

  95. If at least \f[C]t\f[] pieces can be decrypted, then the encryption key
    96. 

  96. can be recovered and decryption can succeed.
    97. 

  97. .PP
    98. 

  98. For example, let\[aq]s create a high\-availability setup using Tang:
    99. 

  99. .IP
    100. 

  100. .nf
    101. 

  101. \f[C]
    102. 

  102. $\ cfg=\[aq]{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}\[aq]
    103. 

  103. $\ clevis\ encrypt\ sss\ "$cfg"\ <\ PT\ >\ JWE
    104. 

  104. \f[]
    105. 

  105. .fi
    106. 

  106. .PP
    107. 

  107. In this policy, we are declaring that we have a threshold of 1, but that
    108. 

  108. there are multiple key fragments encrypted using different Tang servers.
    109. 

  109. Since our threshold is 1, so long as any of the Tang servers are
    110. 

  110. available, decryption will succeed.
    111. 

  111. As always, decryption is simply:
    112. 

  112. .IP
    113. 

  113. .nf
    114. 

  114. \f[C]
    115. 

  115. $\ clevis\ decrypt\ <\ JWE\ >\ PT
    116. 

  116. \f[]
    117. 

  117. .fi
    118. 

  118. .PP
    119. 

  119. For more information, see \f[C]clevis\-encrypt\-tang\f[](1).
    120. 

  120. .SH LUKS BINDING
    121. 

  121. .PP
    122. 

  122. Clevis can be used to bind an existing LUKS volume to its automation
    123. 

  123. policy.
    124. 

  124. This is accomplished with a simple command:
    125. 

  125. .IP
    126. 

  126. .nf
    127. 

  127. \f[C]
    128. 

  128. $\ clevis\ luks\ bind\ \-d\ /dev/sda\ tang\ \[aq]{"url":...}\[aq]
    129. 

  129. \f[]
    130. 

  130. .fi
    131. 

  131. .PP
    132. 

  132. This command performs four steps:
    133. 

  133. .IP "1." 3
    134. 

  134. Creates a new key with the same entropy as the LUKS master key.
    135. 

  135. .IP "2." 3
    136. 

  136. Encrypts the new key with Clevis.
    137. 

  137. .IP "3." 3
    138. 

  138. Stores the Clevis JWE in the LUKS header with LUKSMeta.
    139. 

  139. .IP "4." 3
    140. 

  140. Enables the new key for use with LUKS.
    141. 

  141. .PP
    142. 

  142. This disk can now be unlocked with your existing password as well as
    143. 

  143. with the Clevis policy.
    144. 

  144. Clevis provides two unlockers for LUKS volumes.
    145. 

  145. First, we provide integration with Dracut to automatically unlock your
    146. 

  146. root volume during early boot.
    147. 

  147. Second, we provide integration with UDisks2 to automatically unlock your
    148. 

  148. removable media in your desktop session.
    149. 

  149. .PP
    150. 

  150. For more information, see \f[C]clevis\-luks\-bind\f[](1).
    151. 

  151. .SH SEE ALSO
    152. 

  152. .PP
    153. 

  153. \f[C]clevis\-encrypt\-http\f[](1), \f[C]clevis\-encrypt\-tang\f[](1),
    154. 

  154. \f[C]clevis\-encrypt\-sss\f[](1), \f[C]clevis\-luks\-bind\f[](1),
    155. 

  155. \f[C]clevis\-decrypt\f[](1)
    156. 

  156. .SH AUTHORS
    157. 

  157. Nathaniel McCallum <npmccallum@redhat.com>.
    158.