'\" t
.\"     Title: clevis-encrypt-sss
.\"    Author: [see the "AUTHOR(S)" section]
.\" Generator: Asciidoctor 2.0.20
.\"    Manual: \ \&
.\"    Source: \ \&
.\"  Language: English
.\"
.TH "CLEVIS\-ENCRYPT\-SSS" "1" "" "\ \&" "\ \&"
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.ss \n[.ss] 0
.nh
.ad l
.de URL
\fI\\$2\fP <\\$1>\\$3
..
.als MTO URL
.if \n[.g] \{\
.  mso www.tmac
.  am URL
.    ad l
.  .
.  am MTO
.    ad l
.  .
.  LINKSTYLE blue R < >
.\}
.SH "NAME"
clevis-encrypt-sss \- Encrypts using a Shamir\*(Aqs Secret Sharing policy
.SH "SYNOPSIS"
.sp
\fBclevis encrypt sss\fP CONFIG [\-y] < PT > JWE
.SH "OVERVIEW"
.sp
The \fBclevis encrypt sss\fP command encrypts using a Shamir\(cqs Secret Sharing
policy. Its only argument is the JSON configuration object.
.sp
Shamir\(cqs Secret Sharing (SSS) provides a way to mix pins together to create
sophisticated unlocking and high availability policies. SSS is a thresholding
scheme. It creates a key and divides it into a number of pieces. Each piece is
encrypted using another pin (possibly even SSS recursively). Additionally,
you define the threshold \fBt\fP. If at least \fBt\fP pieces can be decrypted, then
the encryption key can be recovered and decryption can succeed.
.sp
For example, let\(cqs create a high\-availability setup using Tang:
.sp
.if n .RS 4
.nf
.fam C
$ cfg=\*(Aq{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}\*(Aq
$ clevis encrypt sss "$cfg" < PT > JWE
.fam
.fi
.if n .RE
.sp
In this policy, we are declaring that we have a threshold of 1, but that there
are multiple key fragments encrypted using different Tang servers. Since our
threshold is 1, so long as any of the Tang servers are available, decryption
will succeed. As always, decryption is simply:
.sp
.if n .RS 4
.nf
.fam C
$ clevis decrypt < JWE > PT
.fam
.fi
.if n .RE
.SH "CONFIG"
.sp
This command uses the following configuration properties:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.  sp -1
.  IP \(bu 2.3
.\}
\fBt\fP (integer) :
Number of pins required for decryption (REQUIRED)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.  sp -1
.  IP \(bu 2.3
.\}
\fBpins\fP (object) :
Pins used for encrypting fragments (REQUIRED)
.RE
.sp
The format of the \fBpins\fP property is as follows:
.sp
.if n .RS 4
.nf
.fam C
{PIN:CFG,...} OR {PIN:[CFG,CFG,...],...}
.fam
.fi
.if n .RE
.sp
When the list version of the format is used, multiple pins of that type will
receive key fragments.
.SH "OPTIONS"
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.  sp -1
.  IP \(bu 2.3
.\}
\fB\-y\fP :
Automatically answer yes for all questions. For the \fItang\fP pin, it will
skip the advertisement trust check, which can be useful in automated
deployments:
.sp
.if n .RS 4
.nf
.fam C
$ cfg=\*(Aq{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}\*(Aq
$ clevis encrypt sss "$cfg" \-y < PT > JWE
.fam
.fi
.if n .RE
.RE
.SH "SEE ALSO"
.sp
.URL "clevis\-encrypt\-tang.1.adoc" "\fBclevis\-encrypt\-tang\fP(1)" ","
.URL "clevis\-decrypt.1.adoc" "\fBclevis\-decrypt\fP(1)" ""