step crypto jwe encrypt
NAME
step crypto jwe encrypt – encrypt a payload using JSON Web Encryption (JWE)
USAGE
step crypto jwe encrypt
[–alg=keyencalgorithm
] [–enc=contentencalgorithm
]
[–key=jwk
] [–jwks=jwks
] [–kid=kid
]
DESCRIPTION
step crypto jwe encrypt encrypts a payload using JSON Web Encryption (JWE). By default, the payload to encrypt is read from STDIN and the JWE data structure will be written to STDOUT.
For examples, see step help crypto jwe.
OPTIONS
 –alg=
keyencalgorithm
, –algorithm=keyencalgorithm
 The cryptographic algorithm used to encrypt or determine the value of the content encryption key (CEK). Algorithms are casesensitive strings defined in RFC7518. The selected algorithm must be compatible with the key type. This flag is optional. If not specified, the “alg” member of the JWK is used. If the JWK has no “alg” member then a default is selected depending on the JWK key type. If the JWK has an “alg” member and the –alg flag is passed the two options must match unless the –subtle flag is also passed.

keyencalgorithm
is a casesensitive string and must be one of: RSA1_5
 RSAESPKCS1v1_5
 RSAOAEP
 RSAES OAEP using default parameters
 RSAOAEP256 (default for RSA keys)
 RSAES OAEP using SHA256 and MGF1 with SHA256
 A128KW
 AES Key Wrap with default initial value using 128bit key
 A192KW
 AES Key Wrap with default initial value using 192bit key
 A256KW
 AES Key Wrap with default initial value using 256bit key
 dir
 Direct use of a shared symmetric key as the content encryption key (CEK)
 ECDHES (default for EC keys)
 Elliptic Curve DiffieHellman Ephemeral Static key agreement
 ECDHES+A128KW
 ECDHES using Concat KDF and CEK wrapped with “A128KW
 ECDHES+A192KW
 ECDHES using Concat KDF and CEK wrapped with “A192KW
 ECDHES+A256KW
 ECDHES using Concat KDF and CEK wrapped with “A256KW
 A128GCMKW
 Key wrappiung with AES GCM using 128bit key
 A192GCMKW
 Key wrappiung with AES GCM using 192bit key
 A256GCMKW (default for oct keys)
 Key wrappiung with AES GCM using 256bit key
 PBES2HS256+A128KW
 PBES2 with HMAC SHA256 and “A128KW” wrapping
 PBES2HS384+A192KW
 PBES2 with HMAC SHA256 and “A192KW” wrapping
 PBES2HS512+A256KW
 PBES2 with HMAC SHA256 and “A256KW” wrapping
 –enc=
contentencalgorithm
, –encryptionalgorithm=contentencalgorithm
 The cryptographic content encryption algorithm used to perform authenticated encryption on the plaintext payload (the content) to produce ciphertext and the authentication tag.

contentencalgorithm
is a casesensitive string and must be one of: A128CBCHS256
 AES_128_CBC_HMAC_SHA_256 authenticated encryption algorithm
 A192CBCHS384
 AES_192_CBC_HMAC_SHA_384 authenticated encryption algorithm
 A256CBCHS512
 AES_256_CBC_HMAC_SHA_512 authenticated encryption algorithm
 A128GCM
 AES GCM using 128bit key
 A192GCM
 AES GCM using 192bit key
 A256GCM (default)
 AES GCM using 256bit key
 –key=
key
 The JWE recipient’s public key. The
key
argument should be the name of a file. JWEs can be encrypted for a recipient using a public JWK or a PEM encoded public key.  –jwks=
jwks
 The JWK Set containing the recipient’s public key. The
jwks
argument should be the name of a file. The file contents should be a JWK Set. The –jwks flag requires the use of the –kid flag to specify which key to use.  –kid=
kid
 The ID of the recipient’s public key.
kid
is a casesensitive string. When used with –key thekid
value must match the “kid” member of the JWK. When used with –jwks (a JWK Set) thekid
value must match the “kid” member of one of the JWKs in the JWK Set.  –typ=
value
, –type=value
 The media type of the JWE, used for disambiguation in applications where more than one type of JWE may be processed. While this parameter might be useful to applications, it is ignored by JWE implementations.
 –cty=
value
, –contenttype=value
 The media type of the JWE payload, used for disambiguation of JWE objects in applications where more than one JWE payload type may be present. This parameter is ignored by JWE implementations, but may be processed by applications that use JWE.