Flightbox CLI Reference

flightbox

Flexible cryptographic toolkit for multi-tenant encryption and signature

flightbox [OPTIONS] COMMAND [ARGS]...

Options

-v, --verbosity <LVL>: Either CRITICAL, ERROR, WARNING, INFO or DEBUG

-k, --keystore-pool <keystore_pool>: Folder tree to store keystores (else ~/.witnessangel/keystore_pool is used)

-c, --cryptainer-storage <cryptainer_storage>: Folder to store cryptainers (else ~/.witnessangel/cryptainers is used)

-g, --gateway-url <gateway_url>: URL of the web registry endpoint

authenticator

Manage authenticator trustees

flightbox authenticator [OPTIONS] COMMAND [ARGS]...

create

Initialize an authenticator folder with a set of keypairs

The target directory must not exist yet, but its parent directory must exist.

Authenticator passphrase can be provided as WA_PASSPHRASE environment variable, else user will be prompted for it.

No constraints are applied to the lengths of the passphrase or other fields, so beware of security considerations!

flightbox authenticator create [OPTIONS] AUTHENTICATOR_DIR

Options

--keypair-count <keypair_count>

Count of keypairs to generate (min 1)

Default:: 3

--owner <owner>: Required Name of the authenticator owner

--passphrase-hint <passphrase_hint>: Required Non-sensitive hint to help remember the passphrase

Arguments

AUTHENTICATOR_DIR: Required argument

delete

Delete an authenticator folder along with all its content

flightbox authenticator delete [OPTIONS] AUTHENTICATOR_DIR

Arguments

AUTHENTICATOR_DIR: Required argument

validate

Verify the metadata and keypairs of an authenticator folder

Authenticator passphrase can be provided as WA_PASSPHRASE environment variable, else user will be prompted for it.

flightbox authenticator validate [OPTIONS] AUTHENTICATOR_DIR

Arguments

AUTHENTICATOR_DIR: Required argument

view

View metadata and public keypair identifiers of an authenticator

The presence and validity of private keys isn't checked.

flightbox authenticator view [OPTIONS] AUTHENTICATOR_DIR

Options

-f, --format <format>

Default:: plain
Options:: plain | json

Arguments

AUTHENTICATOR_DIR: Required argument

cryptainer

Manage encrypted containers

flightbox cryptainer [OPTIONS] COMMAND [ARGS]...

decrypt

Turn a cryptainer back into the original media file

This command is for test purposes only, since it only works with INSECURE cryptoconfs where private keys are locally available, and not protected by passphrases.

For real world use cases, see the Witness Angel software suite (Authenticator, Revelation Station...).

flightbox cryptainer decrypt [OPTIONS] CRYPTAINER_NAME

Options

-o, --output-file <output_file>

Arguments

CRYPTAINER_NAME: Required argument

delete

Delete a local cryptainer

flightbox cryptainer delete [OPTIONS] CRYPTAINER_NAME

Arguments

CRYPTAINER_NAME: Required argument

list

List local cryptainers

flightbox cryptainer list [OPTIONS]

Options

-f, --format <format>

Default:: plain
Options:: plain | json

purge

Delete oldest cryptainers per criteria

flightbox cryptainer purge [OPTIONS]

Options

--max-age <max_age>: Maximum age of cryptainer, in days

--max-count <max_count>: Maximum count of cryptainers in storage

--max-quota <max_quota>: Maximum total size of cryptainers, in MBs

summarize

Display a summary of a cryptainer structure

flightbox cryptainer summarize [OPTIONS] CRYPTAINER_NAME

Arguments

CRYPTAINER_NAME: Required argument

validate

Validate a cryptainer structure

flightbox cryptainer validate [OPTIONS] CRYPTAINER_NAME

Arguments

CRYPTAINER_NAME: Required argument

cryptoconf

Manage cryptographic configurations

flightbox cryptoconf [OPTIONS] COMMAND [ARGS]...

generate-simple

Generate a simple cryptoconf using subcommands

flightbox cryptoconf generate-simple [OPTIONS] COMMAND1 [ARGS]... [COMMAND2
                                     [ARGS]...]...

Options

--keychain-uid <keychain_uid>: Default UID for asymmetric keys

add-key-cipher-layer

Add a layer of asymmetric encryption of the key

A symmetric cipher can also be used, resulting in a hybrid encryption scheme.

flightbox cryptoconf generate-simple add-key-cipher-layer [OPTIONS]

Options

--asym-cipher-algo <asym_cipher_algo>

Required Asymmetric algorithms for key encryption

Options:: RSA_OAEP

--trustee-type <trustee_type>

Required Kind of key-guardian used

Options:: local_keyfactory | authenticator

--keystore-uid <keystore_uid>: UID of the key-guardian (only for authenticators)

--keychain-uid <keychain_uid>: Overridden UID for asymmetric key

--sym-cipher-algo <sym_cipher_algo>

Optional intermediate symmetric cipher, to avoid stacking trustees

Options:: AES_CBC | AES_EAX | CHACHA20_POLY1305

add-key-shard

Add a shard configuration to a shared secret

flightbox cryptoconf generate-simple add-key-shard [OPTIONS]

Options

--asym-cipher-algo <asym_cipher_algo>

Required Asymmetric algorithms for key encryption

Options:: RSA_OAEP

--trustee-type <trustee_type>

Required Kind of key-guardian used

Options:: local_keyfactory | authenticator

--keystore-uid <keystore_uid>: UID of the key-guardian (only for authenticators)

--keychain-uid <keychain_uid>: Overridden UID for asymmetric key

--sym-cipher-algo <sym_cipher_algo>

Optional intermediate symmetric cipher, to avoid stacking trustees

Options:: AES_CBC | AES_EAX | CHACHA20_POLY1305

add-key-shared-secret

Transform a key into a shared secret

flightbox cryptoconf generate-simple add-key-shared-secret 
    [OPTIONS]

Options

--threshold <threshold>: Required Number of key-guardians required for decryption of the secret

add-payload-cipher-layer

Add a layer of symmetric encryption of the data

The random symmetric key used for that encryption will then have to be protected by asymmetric encryption.

flightbox cryptoconf generate-simple add-payload-cipher-layer 
    [OPTIONS]

Options

--sym-cipher-algo <sym_cipher_algo>

Required Symmetric algorithms for payload encryption

Options:: AES_CBC | AES_EAX | CHACHA20_POLY1305

summarize

Display a summary of a cryptoconf structure

flightbox cryptoconf summarize [OPTIONS] CRYPTOCONF_FILE

Arguments

CRYPTOCONF_FILE: Required argument

validate

Ensure that a cryptoconf structure is valid

flightbox cryptoconf validate [OPTIONS] CRYPTOCONF_FILE

Arguments

CRYPTOCONF_FILE: Required argument

encrypt

Turn a media file into a secure container

flightbox encrypt [OPTIONS] INPUT_FILE

Options

-o, --output-basename <output_basename>: Basename of the cryptainer storage output file

-c, --cryptoconf <cryptoconf>: Json crypotoconf file

--bundle: Combine cryptainer metadata and payload

Arguments

INPUT_FILE: Required argument

foreign-keystore

Manage locally imported keystores

flightbox foreign-keystore [OPTIONS] COMMAND [ARGS]...

delete

Delete a locally imported keystore

flightbox foreign-keystore delete [OPTIONS] KEYSTORE_UID

Arguments

KEYSTORE_UID: Required argument

import

Import a remote keystore

flightbox foreign-keystore import [OPTIONS]

Options

--from-usb: Fetch authenticators from plugged USB devices

--from-path <from_path>: Fetch authenticator from folder path

--from-gateway <from_gateway>: Fetch authenticator by uid from gateway

--include-private-keys: Import private keys when available

list

List locally imported keystores

flightbox foreign-keystore list [OPTIONS]

Options

-f, --format <format>

Default:: plain
Options:: plain | json

view

View metadata and public keypair identifiers of an imported keystore

The presence and validity of private keys isn't checked.

flightbox foreign-keystore view [OPTIONS] KEYSTORE_UID

Options

-f, --format <format>

Default:: plain
Options:: plain | json

Arguments

KEYSTORE_UID: Required argument