1CLEVIS-ENCRYPT-SSS(1) CLEVIS-ENCRYPT-SSS(1)
2
6 clevis-encrypt-sss -- Encrypts using a Shamir's Secret Sharing policy
7
9 clevis encrypt sss CONFIG < PT > JWE
10
12 The clevis encrypt sss command encrypts using a Shamir's Secret Sharing
13 policy. Its only argument is the JSON configuration object.
14 Shamir's Secret Sharing (SSS) provides a way to mix pins together to
16 create sophisticated unlocking and high availability policies. SSS is
17 a thresholding scheme. It creates a key and divides it into a number
18 of pieces. Each piece is encrypted using another pin (possibly even
19 SSS recursively). Additionally, you define the threshold t. If at
20 least t pieces can be decrypted, then the encryption key can be recov‐
21 ered and decryption can succeed.
22 For example, let's create a high-availability setup using Tang:
24 $ cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}'
26 $ clevis encrypt sss "$cfg" < PT > JWE
27 In this policy, we are declaring that we have a threshold of 1, but
29 that there are multiple key fragments encrypted using different Tang
30 servers. Since our threshold is 1, so long as any of the Tang servers
31 are available, decryption will succeed. As always, decryption is sim‐
32 ply:
33 $ clevis decrypt < JWE > PT
35
37 This command uses the following configuration properties:
38 · t (integer) : Number of pins required for decryption (REQUIRED)
40 · pins (object) : Pins used for encrypting fragments (REQUIRED)
42 The format of the pins property is as follows:
44 {PIN:CFG,...} OR {PIN:[CFG,CFG,...],...}
46 When the list version of the format is used, multiple pins of that type
48 will receive key fragments.
49
51 clevis-encrypt-http(1), clevis-encrypt-tang(1), clevis-decrypt(1)
52
54 Nathaniel McCallum <npmccallum@redhat.com>.
55 Sepember 2017 CLEVIS-ENCRYPT-SSS(1)