anjuna-nitro-encrypt
anjuna-nitro-encrypt --cmk <key-id> \ [--bucket-name <name> --bucket-key <key> | --output-file <output file>] \ --config <config file> [OPTIONS...]
Encrypt data using AWS KMS and store it in an AWS S3 bucket or to a local file.
anjuna-nitro-encrypt provides the ability to securely encrypt secrets for
AWS Nitro Enclaves.
The Anjuna Nitro Runtime fetches the encrypted configuration file in the enclave either from an S3
bucket or a local file.
|
S3 and local
|
The data is decrypted with AWS KMS (using a Nitro-generated attestation report). The secrets are then made available to the application running in the AWS Nitro Enclave as environment variables or files.
See Anjuna Nitro Enclave configuration for a complete description of the file format used to specify the secrets.
| The AWS Nitro-based EC2 instance, the AWS S3 bucket (when storing to S3), and the AWS KMS key MUST be in the same AWS Region. |
If the encrypted config is stored in an AWS S3 bucket,
you MUST configure the enclave to download its secrets by setting the encryptedConfig.type
field of the enclave configuration to s3.
You MUST set the encryptedConfig.uri field to be to the same AWS S3 bucket specified by
the --bucket-name and --bucket-key command-line parameters when encrypting the configuration
file with anjuna-nitro-encrypt.
You MAY invoke the anjuna-nitro-encrypt at any point before or after building the enclave,
but you MUST invoke it before running the enclave.
After building the Enclave Image File, you MUST update the AWS KMS policies to grant
permission to the enclave (using the measurements generated by the
anjuna-nitro-cli build-enclave tool).
Permissions
anjuna-nitro-encrypt requires the following AWS permissions for the current user/role performing the
operation:
-
Encrypt(i.e.kms:Encrypt) on the KMS key specified by the--cmkcommand-line parameter. -
Write(i.e.s3:PutObject) on the bucket specified by the--bucket-nameand--bucket-keycommand-line parameters (when storing secrets to AWS S3).
Options
Usage
anjuna-nitro-encrypt --cmk <key-id> \ [--bucket-name <name> --bucket-key <key> | --output-file <output file>] \ --config <config file> [OPTIONS...]
-o, --output-file
Path to local file where the encrypted data is stored (mutually exclusive with -b and -k)
--ignore-http-proxy
If set, the process will ignore HTTP_PROXY and HTTPS_PROXY environment variables
-a, --cmk
ID of the KMS CMK used to encrypt the data encryption key
You can specify the AWS KMS key by using any of the following attributes of the key:
-
Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab -
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab -
Alias name:
alias/nitro-kms-key -
Alias ARN:
arn:aws:kms:us-east-2:111122223333:alias/nitro-kms-key
Examples
The following example encrypts the config file secret-data.yaml and stores it to an AWS S3 bucket.
Replace the information on lines 1-4 to match your environment:
$ AWS_CMK_ARN="<your-cmk>"
$ AWS_S3_BUCKET_NAME="<your-bucket>"
$ AWS_S3_BUCKET_KEY="<your-bucket-key>"
$ CONFIG_FILENAME="secret-data.yaml"
$ anjuna-nitro-encrypt \
--cmk "${AWS_CMK_ARN}" \
--bucket-name "${AWS_S3_BUCKET_NAME}" \
--bucket-key "${AWS_S3_BUCKET_KEY}" \
--config "${CONFIG_FILENAME}"The following example encrypts the config file secret-data.yaml and stores it to a local encrypted file encrypted-data.bin. Replace the information on lines 1-3 to match your environment:
$ AWS_CMK_ARN="<your-cmk>"
$ OUTPUT_FILENAME="encrypted-data.bin"
$ CONFIG_FILENAME="secret-data.yaml"
$ anjuna-nitro-encrypt \
--cmk "${AWS_CMK_ARN}" \
--output-file "${OUTPUT_FILENAME}" \
--config "${CONFIG_FILENAME}"If you want to encrypt a file that is not an Anjuna Nitro Enclave Configuration file,
use the --binary flag:
$ AWS_CMK_ARN="<your-cmk>"
$ INPUT_FILENAME="my-secret-app"
$ OUTPUT_FILENAME="encrypted-app"
$ anjuna-nitro-encrypt \
--cmk "${AWS_CMK_ARN}" \
--output-file "${OUTPUT_FILENAME}" \
--config "${INPUT_FILENAME}" \
--binary