'\" t .\" Title: clevis-encrypt-tang .\" Author: [see the "AUTHOR(S)" section] .\" Generator: Asciidoctor 2.0.20 .\" Manual: \ \& .\" Source: \ \& .\" Language: English .\" .TH "CLEVIS\-ENCRYPT\-TANG" "1" "" "\ \&" "\ \&" .ie \n(.g .ds Aq \(aq .el .ds Aq ' .ss \n[.ss] 0 .nh .ad l .de URL \fI\\$2\fP <\\$1>\\$3 .. .als MTO URL .if \n[.g] \{\ . mso www.tmac . am URL . ad l . . . am MTO . ad l . . . LINKSTYLE blue R < > .\} .SH "NAME" clevis-encrypt-tang \- Encrypts using a Tang binding server policy .SH "SYNOPSIS" .sp \fBclevis encrypt tang\fP CONFIG [\-y] < PT > JWE .SH "OVERVIEW" .sp The \fBclevis encrypt tang\fP command encrypts using a Tang binding server policy. Its only argument is the JSON configuration object. .sp Clevis provides support for the Tang network binding server. Tang provides a stateless, lightweight alternative to escrows. Encrypting data using the Tang pin works like this: .sp .if n .RS 4 .nf .fam C $ clevis encrypt tang \*(Aq{"url":"http://tang.srv"}\*(Aq < PT > JWE The advertisement contains the following signing keys: .fam .fi .if n .RE .sp .if n .RS 4 .nf .fam C _OsIk0T\-E2l6qjfdDiwVmidoZjA .fam .fi .if n .RE .sp .if n .RS 4 .nf .fam C Do you wish to trust these keys? [ynYN] y .fam .fi .if n .RE .sp To decrypt the data, just pass it to the \fBclevis decrypt\fP command: .sp .if n .RS 4 .nf .fam C $ clevis decrypt < JWE > PT .fam .fi .if n .RE .sp As you can see above, Tang utilizes a trust\-on\-first\-use workflow. If you already know the thumbprint of a trusted key, you can specify it in the configuration at encryption time: .sp .if n .RS 4 .nf .fam C $ cfg=\*(Aq{"url":"http://tang.srv","thp":"_OsIk0T\-E2l6qjfdDiwVmidoZjA"}\*(Aq $ clevis encrypt tang "$cfg" < PT > JWE .fam .fi .if n .RE .sp Obtaining the thumbprint of a trusted signing key is easy. If you have access to the Tang server, simply execute: .sp .if n .RS 4 .nf .fam C $ tang\-show\-keys .fam .fi .if n .RE .sp where is the port that the Tang server is listening on. .sp If \fBtang\-show\-keys\fP is not available, but you have access to the Tang server\(cqs database directory, you can execute this instead: .sp .if n .RS 4 .nf .fam C $ jose jwk thp \-i $DBDIR/$SIG.jwk .fam .fi .if n .RE .sp Tang can also perform entirely offline encryption if you pre\-share the server advertisement. You can fetch the advertisement with a simple command (just be careful your network isn\(cqt compromised!): .sp .if n .RS 4 .nf .fam C $ curl \-f $URL/adv > adv.jws .fam .fi .if n .RE .sp Once you have the advertisement file, just provide it: .sp .if n .RS 4 .nf .fam C $ clevis encrypt tang \*(Aq{"url":...,"adv":"adv.jws"}\*(Aq < PT > JWE .fam .fi .if n .RE .SH "CONFIG" .sp This command uses the following configuration properties: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ . sp -1 . IP \(bu 2.3 .\} \fBurl\fP (string) : The base URL of the Tang server (REQUIRED) .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ . sp -1 . IP \(bu 2.3 .\} \fBthp\fP (string) : The thumbprint of a trusted signing key .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ . sp -1 . IP \(bu 2.3 .\} \fBadv\fP (string) : A filename containing a trusted advertisement .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ . sp -1 . IP \(bu 2.3 .\} \fBadv\fP (object) : A trusted advertisement (raw JSON) .RE .SH "OPTIONS" .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ . sp -1 . IP \(bu 2.3 .\} \fB\-y\fP : Automatically answer yes for all questions. Use this option for skipping the advertisement trust check. This can be useful in automated deployments: .sp .if n .RS 4 .nf .fam C $ clevis encrypt tang \*(Aq{"url":...}\*(Aq \-y < PT > JWE .fam .fi .if n .RE .RE .SH "SEE ALSO" .sp .URL "clevis\-decrypt.1.adoc" "\fBclevis\-decrypt\fP(1)" ""