1CLEVIS-ENCRYPT-TAN(1)                                    CLEVIS-ENCRYPT-TAN(1)
2
3
4

NAME

6       clevis-encrypt-tang - Encrypts using a Tang binding server policy
7

SYNOPSIS

9       clevis encrypt tang CONFIG [-y] < PT > JWE
10

OVERVIEW

12       The clevis encrypt tang command encrypts using a Tang binding server
13       policy. Its only argument is the JSON configuration object.
14
15       Clevis provides support for the Tang network binding server. Tang
16       provides a stateless, lightweight alternative to escrows. Encrypting
17       data using the Tang pin works like this:
18
19           $ clevis encrypt tang '{"url":"http://tang.srv"}' < PT > JWE
20           The advertisement contains the following signing keys:
21
22           _OsIk0T-E2l6qjfdDiwVmidoZjA
23
24           Do you wish to trust these keys? [ynYN] y
25
26       To decrypt the data, just pass it to the clevis decrypt command:
27
28           $ clevis decrypt < JWE > PT
29
30       As you can see above, Tang utilizes a trust-on-first-use workflow. If
31       you already know the thumbprint of a trusted key, you can specify it in
32       the configuration at encryption time:
33
34           $ cfg='{"url":"http://tang.srv","thp":"_OsIk0T-E2l6qjfdDiwVmidoZjA"}'
35           $ clevis encrypt tang "$cfg" < PT > JWE
36
37       Obtaining the thumbprint of a trusted signing key is easy. If you have
38       access to the Tang server, simply execute:
39
40           $ tang-show-keys <PORT>
41
42       where <PORT> is the port that the Tang server is listening on.
43
44       If tang-show-keys is not available, but you have access to the Tang
45       server’s database directory, you can execute this instead:
46
47           $ jose jwk thp -i $DBDIR/$SIG.jwk
48
49       Tang can also perform entirely offline encryption if you pre-share the
50       server advertisement. You can fetch the advertisement with a simple
51       command (just be careful your network isn’t compromised!):
52
53           $ curl -f $URL/adv > adv.jws
54
55       Once you have the advertisement file, just provide it:
56
57           $ clevis encrypt tang '{"url":...,"adv":"adv.jws"}' < PT > JWE
58

CONFIG

60       This command uses the following configuration properties:
61
62url (string) : The base URL of the Tang server (REQUIRED)
63
64thp (string) : The thumbprint of a trusted signing key
65
66adv (string) : A filename containing a trusted advertisement
67
68adv (object) : A trusted advertisement (raw JSON)
69

OPTIONS

71-y : Automatically answer yes for all questions. Use this option
72           for skipping the advertisement trust check. This can be useful in
73           automated deployments:
74
75               $ clevis encrypt tang '{"url":...}' -y < PT > JWE
76

SEE ALSO

78       clevis-decrypt(1)
79
80
81
82                                  07/19/2023             CLEVIS-ENCRYPT-TAN(1)
Impressum