Running the Nitro Enclave to Access the KMS Encrypted Secret

In the previous sections, you:

  • created an AWS KMS key

  • encrypted some data with it

  • built and measured a Nitro Enclave that will attempt to decrypt the data using the Nitro Attestation process

  • updated the policy attached to the AWS KMS key to authorize this specific Nitro Enclave to decrypt data

It is now time to run the Nitro Enclave and verify that it will present a Signed Attestation Document to decrypt the data.

Run the following commands to start and view the console output of the Nitro Enclave:

$ anjuna-nitro-cli run-enclave --cpu-count 2 --memory 4096 --eif-path nitro-kms.eif --debug-mode
$ anjuna-nitro-cli console --enclave-id $(anjuna-nitro-cli describe-enclaves | jq -r .[0].EnclaveID)
The number of vCPU cores must be an even number due to hyperthreading.

The command should produce some output and display the original content of the secrets file.

To see the enclave output (using the anjuna-nitro-cli console command), you MUST run the enclave in debug mode. In a typical use case scenario, the enclave will never print the content of the secrets.