1CLEVIS-ENCRYPT-SSS(1)                                    CLEVIS-ENCRYPT-SSS(1)
2
3
4

NAME

6       clevis-encrypt-sss -- Encrypts using a Shamir's Secret Sharing policy
7

SYNOPSIS

9       clevis encrypt sss CONFIG < PT > JWE
10

OVERVIEW

12       The clevis encrypt sss command encrypts using a Shamir's Secret Sharing
13       policy.  Its only argument is the JSON configuration object.
14
15       Shamir's Secret Sharing (SSS) provides a way to mix  pins  together  to
16       create  sophisticated unlocking and high availability policies.  SSS is
17       a thresholding scheme.  It creates a key and divides it into  a  number
18       of  pieces.   Each  piece is encrypted using another pin (possibly even
19       SSS recursively).  Additionally, you define the  threshold  t.   If  at
20       least  t pieces can be decrypted, then the encryption key can be recov‐
21       ered and decryption can succeed.
22
23       For example, let's create a high-availability setup using Tang:
24
25              $ cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}'
26              $ clevis encrypt sss "$cfg" < PT > JWE
27
28       In this policy, we are declaring that we have a  threshold  of  1,  but
29       that  there  are  multiple key fragments encrypted using different Tang
30       servers.  Since our threshold is 1, so long as any of the Tang  servers
31       are  available, decryption will succeed.  As always, decryption is sim‐
32       ply:
33
34              $ clevis decrypt < JWE > PT
35

CONFIG

37       This command uses the following configuration properties:
38
39       · t (integer) : Number of pins required for decryption (REQUIRED)
40
41       · pins (object) : Pins used for encrypting fragments (REQUIRED)
42
43       The format of the pins property is as follows:
44
45              {PIN:CFG,...} OR {PIN:[CFG,CFG,...],...}
46
47       When the list version of the format is used, multiple pins of that type
48       will receive key fragments.
49

SEE ALSO

51       clevis-encrypt-http(1), clevis-encrypt-tang(1), clevis-decrypt(1)
52

AUTHORS

54       Nathaniel McCallum <npmccallum@redhat.com>.
55
56
57
58                                 Sepember 2017           CLEVIS-ENCRYPT-SSS(1)
Impressum