1JOSE-JWE-ENC(1) JOSE-JWE-ENC(1)
2
3
4
6 jose-jwe-enc - Encrypts plaintext using one or more JWK/password
7
9 jose jwe enc [-i JWE] -I PT -k JWK [-p] [-r RCP] [-o JWE] [-O CT] [-c]
10
12 The jose jwe enc command encrypts data using one or more JWK (-k) or
13 password (-p). When specifying more than one JWK or password, decryp‐
14 tion will succeed with any one of the provided keys.
15
16 A detached JWE can be created by specifying the -O option. In this
17 case, the decoded ciphertext will be written to the output specified
18 and will not be included in the JWE.
19
20 If only one key is used (-k or -p), the resulting JWE may be output in
21 JWE Compact Serialization by using the -c option.
22
23 This command uses a template based approach for constructing a JWE. You
24 can specify templates of the JWE itself (-i) or for the JWE Recipient
25 Object (-r). Attributes specified in either of these templates will
26 appear unmodified in the output. One exception to this rule is that the
27 JWE Protected Header should be specified in its decoded form in the
28 template. This command will automatically encode it as part of the
29 encryption process.
30
31 If you specify a JOSE Header Parameter (via either the -i or -r
32 options) that affects the construction of the JWE, this command will
33 attempt to behave according to this parameter as if it were configura‐
34 tion. For example, specifying the "zip" parameter in the JWE Protected
35 Header will cause the plaintext to be compressed before encryption.
36 Currently, jose will modify its behavior for the "alg", "enc" and "zip"
37 JOSE Header Parameters (see RFC 7516 Section 4.1.3), as well as the
38 algorithm-specific parameters for the algorithms we support (see RFC
39 7518 Section 4).
40
41 However, it is not necessary to provide any templates: jose jwe enc
42 will automatically fill in the "alg" and "enc" parameters by inferring
43 the correct algorithms from the provided input keys (JWK or password).
44 Therefore, the -i and -r options should generally be used for providing
45 extended JWE metadata.
46
48 -i JSON, --input=JSON
49 Parse JWE from JSON
50
51 -i FILE, --input=FILE
52 Read JWE from FILE
53
54 -i -, --input=-
55 Read JWE from standard input
56
57 -I FILE, --detached=FILE
58 Read decoded ciphertext from FILE
59
60 -I -, --detached=-
61 Read decoded ciphertext from standard input
62
63 -r FILE, --recipient=FILE
64 Read JWE recipient template from FILE
65
66 -r -, --recipient=-
67 Read JWE recipient template from standard input
68
69 -k FILE, --key=FILE
70 Read JWK(Set) from FILE
71
72 -k -, --key=-
73 Read JWK(Set) from standard input
74
75 -p, `--password
76 Prompt for an encryption password
77
78 -o FILE, --output=FILE
79 Write JWE to FILE
80
81 -o -, --output=-
82 Write JWE to stdout (default)
83
84 -O FILE, --detach=FILE
85 Detach ciphertext and decode to FILE
86
87 -O -, --detach=-
88 Detach ciphertext and decode to standard output
89
90 -c, --compact
91 Output JWE using compact serialization
92
94 Encrypt data with a symmetric key using JWE JSON Serialization:
95
96
97
98 $ jose jwk gen -i ´{"alg":"A128GCM"}´ -o key.jwk
99 $ jose jwe enc -I msg.txt -k key.jwk -o msg.jwe
100
101
102
103 Encrypt data with a password using JWE Compact Serialization:
104
105
106
107 $ jose jwe enc -I msg.txt -p -c -o msg.jwe
108 Please enter an encryption password:
109 Please re-enter the previous password:
110
111
112
113 Compress plaintext before encryption:
114
115
116
117 $ jose jwe enc -i ´{"protected":{"zip":"DEF"}}´ ...
118
119
120
121 Encrypt with two keys and two passwords: $ jose jwk gen -i
122 ´{"alg":"ECDH-ES+A128KW"}´ -o ec.jwk $ jose jwk gen -i
123 ´{"alg":"RSA1_5"}´ -o rsa.jwk $ jose jwe enc -I msg.txt -p -k ec.jwk -p
124 -k rsa.jwk -o msg.jwe Please enter a password: Please re-enter the pre‐
125 vious password: Please enter a password: Please re-enter the previous
126 password:
127
129 Nathaniel McCallum <npmccallum@redhat.com>
130
132 jose-jwe-dec(1), jose-jwe-fmt(1)
133
134
135
136 May 2017 JOSE-JWE-ENC(1)