Providing Secrets to the Nitro Enclave

You saw how easy and quick it is to start a Nitro Enclave using the Anjuna Nitro Runtime in the previous section.

In all but the simplest cases, applications running in Nitro enclaves will require access to sensitive data. For example, Web Servers will require a TLS certificate, a password to extract a certificate/key from a key store. Other applications will need credentials to connect to other services, like an external database.

Adding such sensitive information in the Docker container is not recommended since the container can be inspected, which would expose the secrets.

AWS Enclaves solve securely providing secrets to applications running in Nitro Enclaves with a process called Attestation.

Attestation is a feature that enables a Nitro Enclave to prove its identity to an external service, which can then determine whether this Nitro Enclave is authorized to perform certain operations.

One of the services that support transparent integration with Nitro Attestation is the AWS Key Management Service (https://aws.amazon.com/kms/).

In the next sections, we will learn about:

  • Nitro Attestation and Enclave measurements

  • Setting up a Customer Master Key in AWS KMS

  • Attaching a default policy to the key (Customer Master Key)

  • Encrypting a secret with the CMK and store it in a public S3 bucket

  • Building a Docker container that will download and decrypt the secret

  • Measuring the Nitro Enclave for the Docker container

  • Updating the policy associated with the Customer Master Key to allow the Nitro Enclave to decrypt data using the CMK

  • Starting the Nitro Enclave to verify that it can decrypt the secret