jose-jwe-enc.1.adoc 4.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129
  1. jose-jwe-enc(1)
  2. ===============
  3. :doctype: manpage
  4. == NAME
  5. jose-jwe-enc - Encrypts plaintext using one or more JWK/password
  6. == SYNOPSIS
  7. *jose jwe enc* [-i JWE] -I PT -k JWK [-p] [-r RCP] [-o JWE] [-O CT] [-c]
  8. == OVERVIEW
  9. The *jose jwe enc* command encrypts data using one or more JWK (*-k*) or
  10. password (*-p*). When specifying more than one JWK or password, decryption
  11. will succeed with any one of the provided keys.
  12. A detached JWE can be created by specifying the *-O* option. In this case,
  13. the decoded ciphertext will be written to the output specified and will not
  14. be included in the JWE.
  15. If only one key is used (*-k* or *-p*), the resulting JWE may be output in
  16. JWE Compact Serialization by using the *-c* option.
  17. This command uses a template based approach for constructing a JWE. You can
  18. specify templates of the JWE itself (*-i*) or for the JWE Recipient Object
  19. (*-r*). Attributes specified in either of these templates will appear
  20. unmodified in the output. One exception to this rule is that the JWE Protected
  21. Header should be specified in its decoded form in the template. This command
  22. will automatically encode it as part of the encryption process.
  23. If you specify a JOSE Header Parameter (via either the *-i* or *-r* options)
  24. that affects the construction of the JWE, this command will attempt to behave
  25. according to this parameter as if it were configuration. For example,
  26. specifying the "zip" parameter in the JWE Protected Header will cause the
  27. plaintext to be compressed before encryption. Currently, *jose* will modify its
  28. behavior for the "alg", "enc" and "zip" JOSE Header Parameters (see RFC 7516
  29. Section 4.1.3), as well as the algorithm-specific parameters for the algorithms
  30. we support (see RFC 7518 Section 4).
  31. However, it is not necessary to provide any templates: *jose jwe enc* will
  32. automatically fill in the "alg" and "enc" parameters by inferring the correct
  33. algorithms from the provided input keys (JWK or password). Therefore, the *-i*
  34. and *-r* options should generally be used for providing extended JWE metadata.
  35. == OPTIONS
  36. * *-i* _JSON_, *--input*=_JSON_ :
  37. Parse JWE from JSON
  38. * *-i* _FILE_, *--input*=_FILE_ :
  39. Read JWE from FILE
  40. * *-i* -, *--input*=-:
  41. Read JWE from standard input
  42. * *-I* _FILE_, *--detached*=_FILE_ :
  43. Read decoded ciphertext from FILE
  44. * *-I* -, *--detached*=- :
  45. Read decoded ciphertext from standard input
  46. * *-r* _FILE_, *--recipient*=_FILE_ :
  47. Read JWE recipient template from FILE
  48. * *-r* -, *--recipient*=- :
  49. Read JWE recipient template from standard input
  50. * *-k* _FILE_, *--key*=_FILE_ :
  51. Read JWK(Set) from FILE
  52. * *-k* -, *--key*=- :
  53. Read JWK(Set) from standard input
  54. * *-p*, *--password* :
  55. Prompt for an encryption password
  56. * *-o* _FILE_, *--output*=_FILE_ :
  57. Write JWE to FILE
  58. * *-o* -, *--output*=- :
  59. Write JWE to stdout (default)
  60. * *-O* _FILE_, *--detach*=_FILE_ :
  61. Detach ciphertext and decode to FILE
  62. * *-O* -, *--detach*=- :
  63. Detach ciphertext and decode to standard output
  64. * *-c*, *--compact* :
  65. Output JWE using compact serialization
  66. == EXAMPLES
  67. Encrypt data with a symmetric key using JWE JSON Serialization:
  68. $ jose jwk gen -i '{"alg":"A128GCM"}' -o key.jwk
  69. $ jose jwe enc -I msg.txt -k key.jwk -o msg.jwe
  70. Encrypt data with a password using JWE Compact Serialization:
  71. $ jose jwe enc -I msg.txt -p -c -o msg.jwe
  72. Please enter an encryption password:
  73. Please re-enter the previous password:
  74. Compress plaintext before encryption:
  75. $ jose jwe enc -i '{"protected":{"zip":"DEF"}}' ...
  76. Encrypt with two keys and two passwords:
  77. $ jose jwk gen -i '{"alg":"ECDH-ES+A128KW"}' -o ec.jwk
  78. $ jose jwk gen -i '{"alg":"RSA1_5"}' -o rsa.jwk
  79. $ jose jwe enc -I msg.txt -p -k ec.jwk -p -k rsa.jwk -o msg.jwe
  80. Please enter a password:
  81. Please re-enter the previous password:
  82. Please enter a password:
  83. Please re-enter the previous password:
  84. == AUTHOR
  85. Nathaniel McCallum <npmccallum@redhat.com>
  86. == SEE ALSO
  87. link:jose-jwe-dec.1.adoc[*jose-jwe-dec*(1)],
  88. link:jose-jwe-fmt.1.adoc[*jose-jwe-fmt*(1)]