Anjuna Policy Manager Server boot sequence

AMD SEV-SNP on Azure

There are two phases of the Anjuna Policy Manager running on AMD SEV-SNP on Azure:

  • Initial deployment

    • Initialize the Anjuna Policy Manager, encrypt unsealing keys, and upload them to AKV

  • Subsequent deployments

    • Pull encrypted unsealing keys from AKV, decrypt them, unseal the Anjuna Policy Manager

Initial deployment

When you deploy the Anjuna Policy Manager (APM) for the first time, you need to do the following:

  • Build the enclave image

  • Define a Microsoft Azure Attestation endpoint policy allowing your APM enclave to perform Azure Key Vault Secure Key Release

  • Create an HSM-backed Azure Key Vault master key, and attach it to the Microsoft Azure Attestation endpoint

  • Protect the TLS certificate and private key with a password, and encrypt the password using the master key

  • Encrypt the Storage Account access key with the master key

After that, you can run the APM, which will automatically do the following:

  • Securely retrieve the master key using an Azure Key Vault Secure Key Release with Microsoft Azure Attestation

  • Retrieve the password protected TLS certificate and private key, and retrieve the encrypted password

  • Decrypt the password using the master key, and open the TLS certificate and private key with it

  • Retrieve the encrypted Storage Account access key, and decrypt it using the master key

  • Configure and Start the APM Server

  • Initialize the APM; decrypt its encrypted storage backend locally

  • As a one-time initialization step, encrypt the unsealing keys using the master key, and upload them to AKV

APM initial deployment sequence diagram

Subsequent deployments

For a subsequent deployment of the APM, all you need to do is start the Anjuna Policy Manager Confidential Container.

The APM will execute the following procedure automatically:

  • Securely retrieve the master key using an Azure Key Vault Secure Key Release with Microsoft Azure Attestation

  • Pull the encrypted unsealing keys, password protected TLS certificate and TLS private key, encrypted TLS password and Storage Account access key, and decrypt them using the master key

  • Configure and Start the APM Server

  • Unseal the APM; decrypt the encrypted storage backend locally

APM initial deployment sequence diagram