1CLEVIS-ENCRYPT-TANG(1)                                  CLEVIS-ENCRYPT-TANG(1)
2
3
4

NAME

6       clevis-encrypt-tang -- Encrypts using a Tang binding server policy
7

SYNOPSIS

9       clevis encrypt tang CONFIG < PT > JWE
10

OVERVIEW

12       The  clevis encrypt tang  command  encrypts using a Tang binding server
13       policy.  Its only argument is the JSON configuration object.
14
15       Clevis provides support for the Tang network binding server.  Tang pro‐
16       vides a stateless, lightweight alternative to escrows.  Encrypting data
17       using the Tang pin works like this:
18
19              $ clevis encrypt tang '{"url":"http://tang.srv"}' < PT > JWE
20              The advertisement contains the following signing keys:
21
22              _OsIk0T-E2l6qjfdDiwVmidoZjA
23
24              Do you wish to trust these keys? [ynYN] y
25
26       To decrypt the data, just pass it to the clevis decrypt command:
27
28              $ clevis decrypt < JWE > PT
29
30       As you can see above, Tang utilizes a trust-on-first-use workflow.   If
31       you already know the thumbprint of a trusted key, you can specify it in
32       the configuration at encryption time:
33
34              $ cfg='{"url":"http://tang.srv","thp":"_OsIk0T-E2l6qjfdDiwVmidoZjA"}'
35              $ clevis encrypt tang "$cfg" < PT > JWE
36
37       Obtaining the thumbprint of a trusted signing key is easy.  If you have
38       access to the Tang server's database directory, simply do:
39
40              $ jose jwk thp -i $DBDIR/$SIG.jwk
41
42       Tang  can also perform entirely offline encryption if you pre-share the
43       server advertisment.  You can fetch the advertisment with a simple com‐
44       mand (just be careful your network isn't compromised!):
45
46              $ curl -f $URL/adv > adv.jws
47
48       Once you have the advertisment file, just provide it:
49
50              $ clevis encrypt tang '{"url":...,"adv":"adv.jws"}' < PT > JWE
51

CONFIG

53       This command uses the following configuration properties:
54
55       · url (string) : The base URL of the Tang server (REQUIRED)
56
57       · thp (string) : The thumbprint of a trusted signing key
58
59       · adv (string) : A filename containing a trusted advertisement
60
61       · adv (object) : A trusted advertisement (raw JSON)
62

SEE ALSO

64       clevis-decrypt(1)
65

AUTHORS

67       Nathaniel McCallum <npmccallum@redhat.com>.
68
69
70
71                                 Sepember 2017          CLEVIS-ENCRYPT-TANG(1)
Impressum