Building and Measuring the Nitro Enclave
In the previous section, you encrypted some data and stored the encrypted file in an AWS S3 bucket. In this section, you will build a Nitro Enclave, and you will grant this enclave permission to decrypt the encrypted data.
Pre-requisites
The instructions in this section assume you completed the steps on the previous page and that you are running the commands from this section on a Nitro-capable host set up with the Anjuna Nitro Runtime.
It also required that the Nitro-capable EC2 instance is associated with the correct IAM role (the same IAM role used for AWS KMS key policy).
The AWS IAM role is critical for allowing enclaves to connect to AWS KMS without using credentials. If the Nitro EC2 instance is not granted permission to access KMS, the Nitro Enclave will not be able to decrypt any data. It is also important to note that the permissions associated with this role do not allow the parent instance to decrypt data. It just gives the EC2 instance the ability to authenticate to KMS. |
You should have the following variables defined and set with the correct values:
export AWS_REGION=<your-region> export KMS_KEY_ID=<your-kms-key> export AWS_S3_BUCKET=<your-s3-bucket>
Create the Enclave Configuration File
Create a file named enclave-config.yaml
, which specifies the URI of the S3 bucket that contains
the encrypted secrets.
version: 1.0 environment: - NITRO_ATTESTED_CONF_URL=s3://<YOUR-S3-BUCKET>/kms-encrypted-data.bin command: [/bin/sh, -c, "printenv|sort; cat /etc/my-application-startup.conf"]
The URL specified in NITRO_ATTESTED_CONF_URL must point to the file encrypted with the
anjuna-nitro-encrypt tool on the previous page.
|
In the example above, the command
entry instructs the Anjuna Nitro Runtime to execute the command
printenv | sort
and show the content of the file /etc/my-application-startup.conf
(instead of
the default ENTRYPOINT
of the Docker image used to create the enclave). It shows the content of
the environment variables defined in the enclave, including the decrypted values specified from the
secrets stored in the AWS S3 bucket.
Building a simple Nitro Enclave
anjuna-nitro-cli build-enclave \ --docker-uri amazonlinux \ --enclave-config-file enclave-config.yaml \ --output-file nitro-kms.eif
This should produce the following output:
Start building the Enclave Image... Enclave Image successfully created. { "Measurements": { "HashAlgorithm": "Sha384 { ... }", "PCR0": "80cabd5643bccbc644bc299361b28d0fc095145733e4ef0552cf3491339d487fca325f1b497478bcf40d934051e79367", "PCR1": "a5b4408152040f6ec87941abc5788d63ba1e74be5714408a271c5081ede76bfdfed00b84d3f04d31e51b844d22f343b8", "PCR2": "fda83c68b97a328d07b7668897b34e5f705f2eec3035603fc65bbf1c93d9c240641220c8ffaa1d5d1a2e4dcc4831699e" } }
Save the PCRxx values above since they are needed later to update the AWS KMS policy associated with your Customer Master Key. The PCRxx values can always be recomputed by simply re-running the command that builds the EIF: anjuna-nitro-cli build-enclave \ --docker-uri amazonlinux \ --enclave-config-file enclave-config.yaml \ --output-file nitro-kms.eif |