'\" t
.\" Title: clevis-encrypt-tang
.\" Author: [FIXME: author] [see http://www.docbook.org/tdg5/en/html/author]
.\" Generator: DocBook XSL Stylesheets vsnapshot
.\" Date: 03/30/2024
.\" Manual: \ \&
.\" Source: \ \&
.\" Language: English
.\"
.TH "CLEVIS\-ENCRYPT\-TAN" "1" "03/30/2024" "\ \&" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
clevis-encrypt-tang \- Encrypts using a Tang binding server policy
.SH "SYNOPSIS"
.sp
\fBclevis encrypt tang\fR CONFIG [\-y] < PT > JWE
.SH "OVERVIEW"
.sp
The \fBclevis encrypt tang\fR command encrypts using a Tang binding server policy\&. Its only argument is the JSON configuration object\&.
.sp
Clevis provides support for the Tang network binding server\&. Tang provides a stateless, lightweight alternative to escrows\&. Encrypting data using the Tang pin works like this:
.sp
.if n \{\
.RS 4
.\}
.nf
$ clevis encrypt tang \*(Aq{"url":"http://tang\&.srv"}\*(Aq < PT > JWE
The advertisement contains the following signing keys:
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
_OsIk0T\-E2l6qjfdDiwVmidoZjA
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
Do you wish to trust these keys? [ynYN] y
.fi
.if n \{\
.RE
.\}
.sp
To decrypt the data, just pass it to the \fBclevis decrypt\fR command:
.sp
.if n \{\
.RS 4
.\}
.nf
$ clevis decrypt < JWE > PT
.fi
.if n \{\
.RE
.\}
.sp
As you can see above, Tang utilizes a trust\-on\-first\-use workflow\&. If you already know the thumbprint of a trusted key, you can specify it in the configuration at encryption time:
.sp
.if n \{\
.RS 4
.\}
.nf
$ cfg=\*(Aq{"url":"http://tang\&.srv","thp":"_OsIk0T\-E2l6qjfdDiwVmidoZjA"}\*(Aq
$ clevis encrypt tang "$cfg" < PT > JWE
.fi
.if n \{\
.RE
.\}
.sp
Obtaining the thumbprint of a trusted signing key is easy\&. If you have access to the Tang server, simply execute:
.sp
.if n \{\
.RS 4
.\}
.nf
$ tang\-show\-keys
.fi
.if n \{\
.RE
.\}
.sp
where is the port that the Tang server is listening on\&.
.sp
If \fBtang\-show\-keys\fR is not available, but you have access to the Tang server\(cqs database directory, you can execute this instead:
.sp
.if n \{\
.RS 4
.\}
.nf
$ jose jwk thp \-i $DBDIR/$SIG\&.jwk
.fi
.if n \{\
.RE
.\}
.sp
Tang can also perform entirely offline encryption if you pre\-share the server advertisement\&. You can fetch the advertisement with a simple command (just be careful your network isn\(cqt compromised!):
.sp
.if n \{\
.RS 4
.\}
.nf
$ curl \-f $URL/adv > adv\&.jws
.fi
.if n \{\
.RE
.\}
.sp
Once you have the advertisement file, just provide it:
.sp
.if n \{\
.RS 4
.\}
.nf
$ clevis encrypt tang \*(Aq{"url":\&.\&.\&.,"adv":"adv\&.jws"}\*(Aq < PT > JWE
.fi
.if n \{\
.RE
.\}
.SH "CONFIG"
.sp
This command uses the following configuration properties:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBurl\fR
(string) : The base URL of the Tang server (REQUIRED)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBthp\fR
(string) : The thumbprint of a trusted signing key
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBadv\fR
(string) : A filename containing a trusted advertisement
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBadv\fR
(object) : A trusted advertisement (raw JSON)
.RE
.SH "OPTIONS"
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fB\-y\fR
: Automatically answer yes for all questions\&. Use this option for skipping the advertisement trust check\&. This can be useful in automated deployments:
.sp
.if n \{\
.RS 4
.\}
.nf
$ clevis encrypt tang \*(Aq{"url":\&.\&.\&.}\*(Aq \-y < PT > JWE
.fi
.if n \{\
.RE
.\}
.RE
.SH "SEE ALSO"
.sp
\fBclevis\-decrypt\fR(1)