Provided by: clevis_8-1ubuntu0.2_amd64 bug

NAME

       clevis-encrypt-tang -- Encrypts using a Tang binding server policy

SYNOPSIS

       clevis encrypt tang CONFIG < PT > JWE

OVERVIEW

       The  clevis encrypt tang  command  encrypts  using a Tang binding server policy.  Its only
       argument is the JSON configuration object.

       Clevis provides support for the Tang network binding server.  Tang provides  a  stateless,
       lightweight alternative to escrows.  Encrypting data using the Tang pin works like this:

              $ clevis encrypt tang '{"url":"http://tang.srv"}' < PT > JWE
              The advertisement contains the following signing keys:

              _OsIk0T-E2l6qjfdDiwVmidoZjA

              Do you wish to trust these keys? [ynYN] y

       To decrypt the data, just pass it to the clevis decrypt command:

              $ clevis decrypt < JWE > PT

       As  you  can  see above, Tang utilizes a trust-on-first-use workflow.  If you already know
       the thumbprint of a trusted key, you can specify it in  the  configuration  at  encryption
       time:

              $ cfg='{"url":"http://tang.srv","thp":"_OsIk0T-E2l6qjfdDiwVmidoZjA"}'
              $ clevis encrypt tang "$cfg" < PT > JWE

       Obtaining the thumbprint of a trusted signing key is easy.  If you have access to the Tang
       server's database directory, simply do:

              $ jose jwk thp -i $DBDIR/$SIG.jwk

       Tang  can  also  perform  entirely  offline  encryption  if  you  pre-share   the   server
       advertisement.   You  can  fetch  the advertisement with a simple command (just be careful
       your network isn't compromised!):

              $ curl -f $URL/adv > adv.jws

       Once you have the advertisement file, just provide it:

              $ clevis encrypt tang '{"url":...,"adv":"adv.jws"}' < PT > JWE

CONFIG

       This command uses the following configuration properties:

       • url (string) : The base URL of the Tang server (REQUIRED)

       • thp (string) : The thumbprint of a trusted signing key

       • adv (string) : A filename containing a trusted advertisement

       • adv (object) : A trusted advertisement (raw JSON)

SEE ALSO

       clevis-decrypt(1)

AUTHORS

       Nathaniel McCallum <npmccallum@redhat.com>.

                                          Sepember 2017                    CLEVIS-ENCRYPT-TANG(1)