clevis-encrypt-http man page

clevis-encrypt-http -- Encrypts using a REST HTTP escrow server policy

Synopsis

clevis encrypt http Config < PT > JWE

Overview

The clevis encrypt http command encrypts using a REST HTTP escrow server policy. Its only argument is the JSON configuration object.

When using the HTTP pin, we create a new, cryptographically-strong, random key. This key is stored in a remote HTTP escrow server (using a simple PUT or POST). Then at decryption time, we attempt to fetch the key back again in order to decrypt our data. So, for our configuration we need to pass the URL to the key location:

$ clevis encrypt http '{"url":"https://escrow.srv/1234"}' < PT > JWE

To decrypt the data, simply provide the ciphertext (JWE):

$ clevis decrypt < JWE > PT

Notice that we did not pass any configuration during decryption. The decrypt command extracted the URL (and possibly other configuration) from the JWE object, fetched the encryption key from the escrow and performed decryption.

Config

This command uses the following configuration properties:

See Also

clevis-decrypt(1)

Authors

Nathaniel McCallum <npmccallum@redhat.com>.

Referenced By

clevis(1), clevis-encrypt-sss(1), clevis-luks-bind(1).

Sepember 2017