anjuna-nitro-decrypt
anjuna-nitro-decrypt --encrypted-file <encrypted file> \ --output-file <output file> [OPTIONS...]
Decrypt an encrypted file using an AWS KMS key with a policy that is based on remote attestation.
anjuna-nitro-decrypt provides the ability to securely decrypt secrets for
AWS Nitro Enclaves.
anjuna-nitro-decrypt ships with the Anjuna Nitro Runtime and is packaged in anjuna-nitro-runtime.1.48.0001.tar.gz.
The anjuna-nitro-decrypt tool can be added to your container and be used
to decrypt any file that was encrypted with the anjuna-nitro-encrypt tool.
The encrypted files can be copied into the container during the build process or fetched from inside the container dynamically while it is running.
In order for the decryption to work,
the AWS KMS must have a policy that matches the needed measurements of the enclave
running the anjuna-nitro-decrypt (using the measurements generated by the
anjuna-nitro-cli build-enclave tool).
Permissions
anjuna-nitro-decrypt requires the following AWS permissions
for the current IAM principal (user or role) performing the operation:
-
kms:Decrypton the KMS key used for encrypting the original file.
Options
Examples
The following example creates a Docker image with anjuna-nitro-decrypt
that will decrypt a binary file encrypted by anjuna-nitro-encrypt,
and run that binary (see anjuna-nitro-encrypt and
Providing secrets to the AWS Nitro Enclave for reference).
First copy over the needed files into the Docker build context directory (where the Dockerfile is located):
$ cp /opt/anjuna/nitro/bin/anjuna-nitro-decrypt ./
$ cp /opt/anjuna/nitro/enclave/lib64/libnsm.so ./
$ AWS_CMK_ARN="<your-cmk>"
$ INPUT_FILENAME="/path/to/my-secret-app"
$ OUTPUT_FILENAME="encrypted-app"
$ anjuna-nitro-encrypt \
--cmk "${AWS_CMK_ARN}" \
--output-file "${OUTPUT_FILENAME}" \
--config "${INPUT_FILENAME}" \
--binary (1)| 1 | Use anjuna-nitro-encrypt to encrypt the binary file you want to run in the enclave |
Then create a Dockerfile that will copy the needed files into the image:
FROM ubuntu:20.04
RUN apt update && apt install -y ca-certificates (1)
RUN mkdir /my-app
WORKDIR /my-app
COPY libnsm.so /usr/lib/libnsm.so
COPY anjuna-nitro-decrypt /usr/bin/anjuna-nitro-decrypt
COPY encrypted-app . (2)
RUN chmod +x anjuna-nitro-decrypt
CMD anjuna-nitro-decrypt \ (3)
-e encrypted-app \
-o my-secret-app \
&& chmod +x my-secret-app \ (4)
&& ./my-secret-app (5)| 1 | Needed for correct certificates for accessing AWS KMS |
| 2 | Copy the encrypted file into the Docker image to decrypt and run |
| 3 | Use anjuna-nitro-decrypt to decrypt the binary file |
| 4 | Give the decrypted file permissions to execute |
| 5 | Finally run the binary file |
Then build and run an enclave that decrypts the binary and runs it:
$ docker build . -t anjuna-decrypt-container
$ anjuna-nitro-cli build-enclave \
--docker-uri anjuna-decrypt-container:latest \
--output-file decrypt-enclave.eif (1)
$ anjuna-nitro-netd-parent --enclave-name nitro-decrypt --daemonize
$ anjuna-nitro-cli run-enclave \
--enclave-name nitro-decrypt \
--cpu-count 2 --memory 4096 \
--eif-path decrypt-enclave.eif| 1 | After this stage you will need to update the KMS key used for encryption with the correct PCR values of the newly built enclave |