Building and Measuring the Nitro Enclave

In the previous section, you encrypted some data and stored the encrypted file in an AWS S3 bucket. In this section, you will build a Nitro Enclave, and you will grant this enclave permission to decrypt the encrypted data.

Pre-requisites

The instructions in this section assume you completed the steps on the previous page and that you are running the commands from this section on a Nitro-capable host set up with the Anjuna Nitro Runtime.

It also required that the Nitro-capable EC2 instance is associated with the correct IAM role (the same IAM role used for AWS KMS key policy).

The AWS IAM role is critical for allowing enclaves to connect to AWS KMS without using credentials. If the Nitro EC2 instance is not granted permission to access KMS, the Nitro Enclave will not be able to decrypt any data.

It is also important to note that the permissions associated with this role do not allow the parent instance to decrypt data. It just gives the EC2 instance the ability to authenticate to KMS.

You should have the following variables defined and set with the correct values:

export AWS_REGION=<your-region>
export KMS_KEY_ID=<your-kms-key>
export AWS_S3_BUCKET=<your-s3-bucket>

Create the Enclave Configuration File

Create a file named enclave-config.yaml, which specifies the URI of the S3 bucket that contains the encrypted secrets.

version: 1.6

attestedConfURL: s3://<YOUR-S3-BUCKET>/kms-encrypted-data.bin

command: [/bin/sh, -c, "printenv|sort; cat /etc/my-application-startup.conf"]

The URL specified in attestedConfURL must point to the file encrypted with the anjuna-nitro-encrypt tool on the previous page.

In the example above, the command entry instructs the Anjuna Nitro Runtime to execute the command printenv | sort and show the content of the file /etc/my-application-startup.conf (instead of the default ENTRYPOINT of the Docker image used to create the enclave). It shows the content of the environment variables defined in the enclave, including the decrypted values specified from the secrets stored in the AWS S3 bucket.

Building a simple Nitro Enclave

anjuna-nitro-cli build-enclave \
    --docker-uri amazonlinux \
    --enclave-config-file enclave-config.yaml \
    --output-file nitro-kms.eif

This should produce the following output:

Start building the Enclave Image...
Enclave Image successfully created.
{
  "Measurements": {
    "HashAlgorithm": "Sha384 { ... }",
    "PCR0": "80cabd5643bccbc644bc299361b28d0fc095145733e4ef0552cf3491339d487fca325f1b497478bcf40d934051e79367",
    "PCR1": "a5b4408152040f6ec87941abc5788d63ba1e74be5714408a271c5081ede76bfdfed00b84d3f04d31e51b844d22f343b8",
    "PCR2": "fda83c68b97a328d07b7668897b34e5f705f2eec3035603fc65bbf1c93d9c240641220c8ffaa1d5d1a2e4dcc4831699e"
  }
}

Save the PCRxx values above since they are needed later to update the AWS KMS policy associated with your Customer Master Key.

The PCRxx values can always be recomputed by running the describe-eif command:

anjuna-nitro-cli describe-eif --eif-path nitro-kms.eif