'\" t .\" Title: clevis-encrypt-sss .\" Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author] .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: 03/30/2024 .\" Manual: \ \& .\" Source: \ \& .\" Language: English .\" .TH "CLEVIS\-ENCRYPT\-SSS" "1" "03/30/2024" "\ \&" "\ \&" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" clevis-encrypt-sss \- Encrypts using a Shamir\*(Aqs Secret Sharing policy .SH "SYNOPSIS" .sp \fBclevis encrypt sss\fR CONFIG [\-y] < PT > JWE .SH "OVERVIEW" .sp The \fBclevis encrypt sss\fR command encrypts using a Shamir\(cqs Secret Sharing policy\&. Its only argument is the JSON configuration object\&. .sp Shamir\(cqs Secret Sharing (SSS) provides a way to mix pins together to create sophisticated unlocking and high availability policies\&. SSS is a thresholding scheme\&. It creates a key and divides it into a number of pieces\&. Each piece is encrypted using another pin (possibly even SSS recursively)\&. Additionally, you define the threshold \fBt\fR\&. If at least \fBt\fR pieces can be decrypted, then the encryption key can be recovered and decryption can succeed\&. .sp For example, let\(cqs create a high\-availability setup using Tang: .sp .if n \{\ .RS 4 .\} .nf $ cfg=\*(Aq{"t":1,"pins":{"tang":[{"url":\&.\&.\&.},{"url":\&.\&.\&.}]}}\*(Aq $ clevis encrypt sss "$cfg" < PT > JWE .fi .if n \{\ .RE .\} .sp In this policy, we are declaring that we have a threshold of 1, but that there are multiple key fragments encrypted using different Tang servers\&. Since our threshold is 1, so long as any of the Tang servers are available, decryption will succeed\&. As always, decryption is simply: .sp .if n \{\ .RS 4 .\} .nf $ clevis decrypt < JWE > PT .fi .if n \{\ .RE .\} .SH "CONFIG" .sp This command uses the following configuration properties: .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBt\fR (integer) : Number of pins required for decryption (REQUIRED) .RE .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fBpins\fR (object) : Pins used for encrypting fragments (REQUIRED) .RE .sp The format of the \fBpins\fR property is as follows: .sp .if n \{\ .RS 4 .\} .nf {PIN:CFG,\&.\&.\&.} OR {PIN:[CFG,CFG,\&.\&.\&.],\&.\&.\&.} .fi .if n \{\ .RE .\} .sp When the list version of the format is used, multiple pins of that type will receive key fragments\&. .SH "OPTIONS" .sp .RS 4 .ie n \{\ \h'-04'\(bu\h'+03'\c .\} .el \{\ .sp -1 .IP \(bu 2.3 .\} \fB\-y\fR : Automatically answer yes for all questions\&. For the \fItang\fR pin, it will skip the advertisement trust check, which can be useful in automated deployments: .sp .if n \{\ .RS 4 .\} .nf $ cfg=\*(Aq{"t":1,"pins":{"tang":[{"url":\&.\&.\&.},{"url":\&.\&.\&.}]}}\*(Aq $ clevis encrypt sss "$cfg" \-y < PT > JWE .fi .if n \{\ .RE .\} .RE .SH "SEE ALSO" .sp \fBclevis\-encrypt\-tang\fR(1), \fBclevis\-decrypt\fR(1)