Anjuna Policy Manager Server boot sequence
AMD SEV-SNP on Azure
There are two phases of the Anjuna Policy Manager running on AMD SEV-SNP on Azure:
-
Initial deployment
-
Initialize the Anjuna Policy Manager, encrypt unsealing keys, and upload them to AKV
-
-
Subsequent deployments
-
Pull encrypted unsealing keys from AKV, decrypt them, unseal the Anjuna Policy Manager
-
Initial deployment
When you deploy the Anjuna Policy Manager (APM) for the first time, you will need to do the following:
-
Build the enclave image
-
Define a Microsoft Azure Attestation endpoint policy allowing your APM enclave to perform Azure Key Vault Secure Key Release
-
Create an HSM-backed Azure Key Vault master key, and attach it to the Microsoft Azure Attestation endpoint
-
Protect the TLS certificate and private key with a password, and encrypt the password using the master key
-
Encrypt the Storage Account access key with the master key
After that, you can run the APM, which will automatically do the following:
-
Securely retrieve the master key using an Azure Key Vault Secure Key Release with Microsoft Azure Attestation
-
Retrieve the password protected TLS certificate and private key, and retrieve the encrypted password;
-
Decrypt the password using the master key, and open the TLS certificate and private key with it;
-
Retrieve the encrypted Storage Account access key, and decrypt it using the master key;
-
Configure and Start the APM Server
-
Initialize the APM; decrypt its encrypted storage backend locally
-
As a one-time initialization step, encrypt the unsealing keys using the master key, and upload them to AKV
Subsequent deployments
For a subsequent deployment of the APM, all you need to do is start the Anjuna Policy Manager Confidential Container.
The APM will execute the following procedure automatically:
-
Securely retrieve the master key using an Azure Key Vault Secure Key Release with Microsoft Azure Attestation
-
Pull the encrypted unsealing keys, password protected TLS certificate and TLS private key, encrypted TLS password and Storage Account access key, and decrypt them using the master key
-
Configure and Start the APM Server
-
Unseal the APM; decrypt the encrypted storage backend locally