Menu
Products
Open Source
- Configure popular ACME clients to use a private CA
- Use Kubernetes cert-manager with
step-ca - Issue X.509 host certificates to cloud VMs
- Issue X.509 user certificates via your identity provider
- Create a CA that uses RSA keys
- Import an existing root or intermediate CA into
step-ca - Use Keycloak to issue SSH certificates with step-ca
- Run an SSH CA and connect to VMs using SSH certificates
- Use AWS to deploy a certificate authority and secure microservices
- Run
step-cain a Docker container - Federate multiple autonomous certificate authorities
Products
Open Source
- Configure popular ACME clients to use a private CA
- Use Kubernetes cert-manager with
step-ca - Issue X.509 host certificates to cloud VMs
- Issue X.509 user certificates via your identity provider
- Create a CA that uses RSA keys
- Import an existing root or intermediate CA into
step-ca - Use Keycloak to issue SSH certificates with step-ca
- Run an SSH CA and connect to VMs using SSH certificates
- Use AWS to deploy a certificate authority and secure microservices
- Run
step-cain a Docker container - Federate multiple autonomous certificate authorities
step crypto jwe encrypt
Name
step crypto jwe encrypt -- encrypt a payload using JSON Web Encryption (JWE)
Usage
step crypto jwe encrypt
[--alg=<key-enc-algorithm>] [--enc=<content-enc-algorithm>]
[--key=<file>] [--jwks=<jwks>] [--kid=<kid>]
Description
step crypto jwe encrypt encrypts a payload using JSON Web Encryption (JWE). By default, the payload to encrypt is read from STDIN and the JWE data structure will be written to STDOUT.
For examples, see step help crypto jwe.
Options
--alg=key-enc-algorithm, --algorithm=key-enc-algorithm
The cryptographic algorithm used to encrypt or determine the value of the
content encryption key (CEK). Algorithms are case-sensitive strings defined in
RFC7518. The selected algorithm must be compatible with the key type. This
flag is optional. If not specified, the "alg" member of the JWK is used. If
the JWK has no "alg" member then a default is selected depending on the JWK
key type. If the JWK has an "alg" member and the --alg flag is passed the two
options must match unless the --subtle flag is also passed.
key-enc-algorithm is a case-sensitive string and must be one of:
RSA1_5: RSAES-PKCS1-v1_5
RSA-OAEP: RSAES OAEP using default parameters
RSA-OAEP-256 (default for RSA keys): RSAES OAEP using SHA-256 and MGF1 with SHA-256
A128KW: AES Key Wrap with default initial value using 128-bit key
A192KW: AES Key Wrap with default initial value using 192-bit key
A256KW: AES Key Wrap with default initial value using 256-bit key
dir: Direct use of a shared symmetric key as the content encryption key (CEK)
ECDH-ES (default for EC keys): Elliptic Curve Diffie-Hellman Ephemeral Static key agreement
ECDH-ES+A128KW: ECDH-ES using Concat KDF and CEK wrapped with "A128KW
ECDH-ES+A192KW: ECDH-ES using Concat KDF and CEK wrapped with "A192KW
ECDH-ES+A256KW: ECDH-ES using Concat KDF and CEK wrapped with "A256KW
A128GCMKW: Key wrapping with AES GCM using 128-bit key
A192GCMKW: Key wrapping with AES GCM using 192-bit key
A256GCMKW (default for oct keys): Key wrapping with AES GCM using 256-bit key
PBES2-HS256+A128KW: PBES2 with HMAC SHA-256 and "A128KW" wrapping
PBES2-HS384+A192KW: PBES2 with HMAC SHA-256 and "A192KW" wrapping
PBES2-HS512+A256KW: PBES2 with HMAC SHA-256 and "A256KW" wrapping
--enc=content-enc-algorithm, --encryption-algorithm=content-enc-algorithm
The cryptographic content encryption algorithm used to perform authenticated
encryption on the plaintext payload (the content) to produce ciphertext and
the authentication tag.
content-enc-algorithm is a case-sensitive string and must be one of:
A128CBC-HS256: AES_128_CBC_HMAC_SHA_256 authenticated encryption algorithm
A192CBC-HS384: AES_192_CBC_HMAC_SHA_384 authenticated encryption algorithm
A256CBC-HS512: AES_256_CBC_HMAC_SHA_512 authenticated encryption algorithm
A128GCM: AES GCM using 128-bit key
A192GCM: AES GCM using 192-bit key
A256GCM (default): AES GCM using 256-bit key
--key=file
The file containing the JWE recipient's public key.
JWEs can be encrypted for a recipient using a public JWK or a PEM encoded public key.
--jwks=jwks
The JWK Set containing the recipient's public key. The jwks argument should
be the name of a file. The file contents should be a JWK Set. The --jwks
flag requires the use of the --kid flag to specify which key to use.
--kid=kid
The ID of the recipient's public key. kid is a case-sensitive string. When
used with --key the kid value must match the "kid" member of the JWK. When
used with --jwks (a JWK Set) the kid value must match the "kid" member of
one of the JWKs in the JWK Set.
--typ=value, --type=value
The media type of the JWE, used for disambiguation in applications where
more than one type of JWE may be processed. While this parameter might be
useful to applications, it is ignored by JWE implementations.
--cty=value, --content-type=value
The media type of the JWE payload, used for disambiguation of JWE objects in
applications where more than one JWE payload type may be present. This
parameter is ignored by JWE implementations, but may be processed by
applications that use JWE.
Subscribe to updates
Unsubscribe anytime. See our privacy policy.
© 2023 Smallstep Labs, Inc. All rights reserved.