Running the AWS Nitro Enclave to access the KMS encrypted secret

In the previous sections, you:

  • Created an AWS KMS key

  • Encrypted some data with it

  • Built and measured an AWS Nitro Enclave that will attempt to decrypt the data using the AWS Nitro Attestation process

  • Updated the policy attached to the AWS KMS key to authorize this specific AWS Nitro Enclave to decrypt data

It is now time to run the AWS Nitro Enclave and verify that it will present a Signed attestation report to decrypt the data.

First, run the following command to start the Anjuna Nitro Network Proxy for the enclave:

$ anjuna-nitro-netd-parent --enclave-name nitro-kms --daemonize

Next, to view the enclave output and verify that the attestation procedure passes as expected, set up log monitoring.

To monitor enclave logs in real-time, start the log receiver in the background:

$ anjuna-log-receiver --enclave-name nitro-kms > enclave-logs.txt &

In a separate terminal window, monitor the logs as they are generated:

$ tail -f enclave-logs.txt
The log receiver must be started before running the enclave to capture all log output.

Now run the enclave with the appropriate configuration:

  • Encrypted secrets in AWS S3

  • Encrypted secrets in a local file

When the encrypted secrets are stored in AWS S3, run the following command:

$ anjuna-nitro-cli run-enclave \
    --enclave-name nitro-kms \
    --cpu-count 2 \
    --memory 4096 \
    --eif-path nitro-kms.eif

When the encrypted secrets are stored in a local file, run the following command. Ensure that the value of $ENCRYPTED_CONFIG is correctly set according to the previous sections:

$ anjuna-nitro-cli run-enclave \
    --enclave-name nitro-kms \
    --cpu-count 2 \
    --memory 4096 \
    --eif-path nitro-kms.eif \
    --encrypted-config $ENCRYPTED_CONFIG
The number of vCPU cores must be an even number due to hyperthreading.

The command should produce some output and display the original content of the secrets file.

Stopping the services

After you finish using the enclave, you should clean up the background services.

First, terminate the enclave if it is still running:

$ anjuna-nitro-cli terminate-enclave --enclave-name nitro-kms

Then, stop the Network Proxy:

$ pkill -f 'anjuna-nitro-netd-parent --enclave-name nitro-kms'

Finally, stop the log receiver:

$ pkill -f 'anjuna-log-receiver --enclave-name nitro-kms'
pkill requires -f to match the full command associated with the correct enclave name.