1CLEVIS-ENCRYPT-SSS(1)                                    CLEVIS-ENCRYPT-SSS(1)
2
3
4

NAME

6       clevis-encrypt-sss - Encrypts using a Shamir's Secret Sharing policy
7

SYNOPSIS

9       clevis encrypt sss CONFIG [-y] < PT > JWE
10

OVERVIEW

12       The clevis encrypt sss command encrypts using a Shamir’s Secret Sharing
13       policy. Its only argument is the JSON configuration object.
14
15       Shamir’s Secret Sharing (SSS) provides a way to mix pins together to
16       create sophisticated unlocking and high availability policies. SSS is a
17       thresholding scheme. It creates a key and divides it into a number of
18       pieces. Each piece is encrypted using another pin (possibly even SSS
19       recursively). Additionally, you define the threshold t. If at least t
20       pieces can be decrypted, then the encryption key can be recovered and
21       decryption can succeed.
22
23       For example, let’s create a high-availability setup using Tang:
24
25           $ cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}'
26           $ clevis encrypt sss "$cfg" < PT > JWE
27
28       In this policy, we are declaring that we have a threshold of 1, but
29       that there are multiple key fragments encrypted using different Tang
30       servers. Since our threshold is 1, so long as any of the Tang servers
31       are available, decryption will succeed. As always, decryption is
32       simply:
33
34           $ clevis decrypt < JWE > PT
35

CONFIG

37       This command uses the following configuration properties:
38
39t (integer) : Number of pins required for decryption (REQUIRED)
40
41pins (object) : Pins used for encrypting fragments (REQUIRED)
42
43       The format of the pins property is as follows:
44
45           {PIN:CFG,...} OR {PIN:[CFG,CFG,...],...}
46
47       When the list version of the format is used, multiple pins of that type
48       will receive key fragments.
49

OPTIONS

51-y : Automatically answer yes for all questions. For the tang pin,
52           it will skip the advertisement trust check, which can be useful in
53           automated deployments:
54
55               $ cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}'
56               $ clevis encrypt sss "$cfg" -y < PT > JWE
57

SEE ALSO

59       clevis-encrypt-tang(1), clevis-decrypt(1)
60
61
62
63                                  10/29/2021             CLEVIS-ENCRYPT-SSS(1)
Impressum