Anjuna Policy Manager Server Boot Sequence
AMD SEV-SNP on Azure
There are two phases of the Anjuna Policy Manager running on AMD SEV-SNP on Azure:
-
Initial deployment
-
Initialize the Anjuna Policy Manager, encrypt unsealing keys, and upload them to AKV
-
-
Subsequent deployments
-
Pull encrypted unsealing keys from AKV, decrypt them, unseal the Anjuna Policy Manager
-
Initial deployment
When you deploy the Anjuna Policy Manager (APM) for the first time, you will need to do the following:
-
Build the enclave image
-
Define a Microsoft Azure Attestation endpoint policy allowing your APM enclave to perform Azure Key Vault Secure Key Release
-
Create an HSM-backed Azure Key Vault master key and attach it to the Microsoft Azure Attestation endpoint
-
Encrypt the TLS certificate and private key using the master key
After that, you can run the APM, which will automatically:
-
Securely retrieve the master key using an Azure Key Vault Secure Key Release with Microsoft Azure Attestation
-
Retrieve the TLS certificate and private key; decrypt them using the master key
-
Start the APM Server
-
Initialize the APM; encrypt its encrypted storage backend
-
As a one-time initialization step, encrypt the unsealing keys using the master key, and upload them to AKV
Subsequent deployments
For subsequent deployment of the APM, all you need to do is start the Anjuna Policy Manager Confidential Container.
The APM will execute the following procedure automatically:
-
Pull the encrypted unsealing keys, TLS certificate and private key
-
Securely retrieve the master key using an Azure Key Vault Secure Key Release with Microsoft Azure Attestation
-
Pull the encrypted unsealing keys, TLS certificate and private key, and decrypt them using the master key
-
Start the APM Server
-
Unseal the APM; decrypt the encrypted storage locally
