12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061 |
- .\" Automatically generated by Pandoc 1.19.1
- .\"
- .TH "CLEVIS\-ENCRYPT\-HTTP" "1" "September 2017" "" ""
- .hy
- .SH NAME
- .PP
- clevis\-encrypt\-http \-\- Encrypts using a REST HTTP escrow server
- policy
- .SH SYNOPSIS
- .PP
- \f[C]clevis\ encrypt\ http\f[] CONFIG < PT > JWE
- .SH OVERVIEW
- .PP
- The \f[C]clevis\ encrypt\ http\f[] command encrypts using a REST HTTP
- escrow server policy.
- Its only argument is the JSON configuration object.
- .PP
- When using the HTTP pin, we create a new, cryptographically\-strong,
- random key.
- This key is stored in a remote HTTP escrow server (using a simple PUT or
- POST).
- Then at decryption time, we attempt to fetch the key back again in order
- to decrypt our data.
- So, for our configuration we need to pass the URL to the key location:
- .IP
- .nf
- \f[C]
- $\ clevis\ encrypt\ http\ \[aq]{"url":"https://escrow.srv/1234"}\[aq]\ <\ PT\ >\ JWE
- \f[]
- .fi
- .PP
- To decrypt the data, simply provide the ciphertext (JWE):
- .IP
- .nf
- \f[C]
- $\ clevis\ decrypt\ <\ JWE\ >\ PT
- \f[]
- .fi
- .PP
- Notice that we did not pass any configuration during decryption.
- The decrypt command extracted the URL (and possibly other configuration)
- from the JWE object, fetched the encryption key from the escrow and
- performed decryption.
- .SH CONFIG
- .PP
- This command uses the following configuration properties:
- .IP \[bu] 2
- \f[C]url\f[] (string) : The URL where the key is stored (REQUIRED)
- .IP \[bu] 2
- \f[C]http\f[] (boolean) : Allow or disallow non\-TLS HTTP (default:
- false)
- .IP \[bu] 2
- \f[C]type\f[] (string) : The type of key to store (default:
- octet\-stream)
- .IP \[bu] 2
- \f[C]method\f[] (string) : The HTTP method to use (default: PUT)
- .SH SEE ALSO
- .PP
- \f[C]clevis\-decrypt\f[](1)
- .SH AUTHORS
- Nathaniel McCallum <npmccallum@redhat.com>.
|