| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495 | .\" Automatically generated by Pandoc 1.19.1.\".TH "CLEVIS\-ENCRYPT\-TANG" "1" "September 2017" "" "".hy.SH NAME.PPclevis\-encrypt\-tang \-\- Encrypts using a Tang binding server policy.SH SYNOPSIS.PP\f[C]clevis\ encrypt\ tang\f[] CONFIG < PT > JWE.SH OVERVIEW.PPThe \f[C]clevis\ encrypt\ tang\f[] command encrypts using a Tang bindingserver policy.Its only argument is the JSON configuration object..PPClevis provides support for the Tang network binding server.Tang provides a stateless, lightweight alternative to escrows.Encrypting data using the Tang pin works like this:.IP.nf\f[C]$\ clevis\ encrypt\ tang\ \[aq]{"url":"http://tang.srv"}\[aq]\ <\ PT\ >\ JWEThe\ advertisement\ contains\ the\ following\ signing\ keys:_OsIk0T\-E2l6qjfdDiwVmidoZjADo\ you\ wish\ to\ trust\ these\ keys?\ [ynYN]\ y\f[].fi.PPTo decrypt the data, just pass it to the \f[C]clevis\ decrypt\f[]command:.IP.nf\f[C]$\ clevis\ decrypt\ <\ JWE\ >\ PT\f[].fi.PPAs you can see above, Tang utilizes a trust\-on\-first\-use workflow.If you already know the thumbprint of a trusted key, you can specify itin the configuration at encryption time:.IP.nf\f[C]$\ cfg=\[aq]{"url":"http://tang.srv","thp":"_OsIk0T\-E2l6qjfdDiwVmidoZjA"}\[aq]$\ clevis\ encrypt\ tang\ "$cfg"\ <\ PT\ >\ JWE\f[].fi.PPObtaining the thumbprint of a trusted signing key is easy.If you have access to the Tang server\[aq]s database directory, simplydo:.IP.nf\f[C]$\ jose\ jwk\ thp\ \-i\ $DBDIR/$SIG.jwk\ \f[].fi.PPTang can also perform entirely offline encryption if you pre\-share theserver advertisement.You can fetch the advertisement with a simple command (just be carefulyour network isn\[aq]t compromised!):.IP.nf\f[C]$\ curl\ \-f\ $URL/adv\ >\ adv.jws\f[].fi.PPOnce you have the advertisement file, just provide it:.IP.nf\f[C]$\ clevis\ encrypt\ tang\ \[aq]{"url":...,"adv":"adv.jws"}\[aq]\ <\ PT\ >\ JWE\f[].fi.SH CONFIG.PPThis command uses the following configuration properties:.IP \[bu] 2\f[C]url\f[] (string) : The base URL of the Tang server (REQUIRED).IP \[bu] 2\f[C]thp\f[] (string) : The thumbprint of a trusted signing key.IP \[bu] 2\f[C]adv\f[] (string) : A filename containing a trusted advertisement.IP \[bu] 2\f[C]adv\f[] (object) : A trusted advertisement (raw JSON).SH SEE ALSO.PP\f[C]clevis\-decrypt\f[](1).SH AUTHORSNathaniel McCallum <npmccallum@redhat.com>.
 |