Managing policies

Each Anjuna Confidential Container will have two identifiers associated with it:

  • Signer ID - Cryptographic hash of the signing key used to sign the enclave

  • Enclave ID - Cryptographic hash of the enclave contents. If any of the following changes, the Enclave ID will change:

    • Container image

    • Anjuna Runtime version

    • Anjuna enclave configuration

There are two ways to define enclave access policies:

  • Based on Signer ID

    • Limits the access to all enclaves signed by a specific signing key, regardless of the container image and Anjuna Runtime version

    • Valuable when you want to avoid continually updating your Anjuna Policy Manager policies when the enclave is updated

  • Based on a combination of Enclave ID and Signer ID

    • Limits the access to a specific enclave that was signed by a specific signing key

    • Valuable when you want to explicitly update the policy when the enclave is updated

Defining access policies

After creating an Anjuna Policy Manager secret and building the Anjuna Enclave, you can create an access policy that authorizes the enclave to access the secret.

To define an enclave access policy based on Signer ID only, run the following command:

$ export SIGNER_ID="[signer id obtained when signing the enclave]"
$ anjuna-policy-manager authorize signer \
      --signer "${SIGNER_ID}" \
      --engine-path "${engine_path}" \
      "${secret_name}"

To define an enclave access policy based on a combination of Signer ID and Enclave ID, run the following command:

$ export SIGNER_ID="[signer id obtained when signing the enclave]"
$ export ENCLAVE_ID="[enclave id obtained when building the enclave]"
$ anjuna-policy-manager authorize enclave \
      --signer "${SIGNER_ID}" \
      --enclave "${ENCLAVE_ID}" \
      --engine-path "${ENGINE_PATH}" \
      "${SECRET_NAME}"

Revoking access policies

You can revoke access policies using the secret name and the Enclave and Signer IDs. New enclaves will no longer be able to access the secrets from the revoked access policy. Currently-running enclaves will not be affected because secrets are only fetched at boot time.

To revoke an enclave access policy based on Signer ID only, run the following command:

$ export SIGNER_ID="[signer id obtained when signing the enclave]"
$ anjuna-policy-manager revoke signer \
      --signer "${SIGNER_ID}" \
      --engine-path "${ENGINE_PATH}" \
      "${SECRET_NAME}"

To revoke an enclave access policy based on a combination of Signer ID and Enclave ID, run the following command:

$ export SIGNER_ID="[signer id obtained when signing the enclave]"
$ export ENCLAVE_ID="[enclave id obtained when building the enclave]"
& anjuna-policy-manager revoke enclave \
      --signer "${SIGNER_ID}" \
      --enclave "${ENCLAVE_ID}" \
      --engine-path "${ENGINE_PATH}" \
      "${SECRET_NAME}"

Listing policies

List all signers with policies:

$ anjuna-policy-manager list signers

List all enclaves with policies:

$ anjuna-policy-manager list enclaves

List signers authorized to access a specific secret:

$ anjuna-policy-manager list signers "${SECRET_NAME}"

List enclaves authorized to access a specific secret:

$ anjuna-policy-manager list enclaves "${SECRET_NAME}"