anjuna-nitro-encrypt
Encrypt data using KMS and store it in an AWS S3 bucket.
SYNOPSIS
anjuna-nitro-encrypt --bucket-name <name> --bucket-key <key> --cmk <key-id> --config <config file>
DESCRIPTION
The anjuna-nitro-encrypt
tool provides the ability to securely encrypt secrets for
AWS Nitro Enclaves. The Anjuna Nitro Runtime transparently downloads the encrypted secrets
from the specified S3 bucket, decrypts them using AWS KMS (using a Nitro-generated
attestation document), and makes them available to the application running in the
AWS Nitro Enclave as environment variables or files.
See Anjuna Nitro Enclave Configuration for a complete description of the file format used to specify the secrets.
The AWS Nitro-based EC2 instance, the AWS S3 bucket, and the AWS KMS key MUST be in the same AWS Region. |
You can specify the AWS KMS key by using any of the following attributes of the key:
-
Key ID:
1234abcd-12ab-34cd-56ef-1234567890ab
-
Key ARN:
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
-
Alias name:
alias/nitro-kms-key
-
Alias ARN:
arn:aws:kms:us-east-2:111122223333:alias/nitro-kms-key
When building the Enclave Image File, you MUST configure the enclave to download
its secrets from the same AWS S3 bucket specified by the --bucket-name
and --bucket-key
command-line parameters.
After building the Enclave Image File, you MUST update the AWS KMS policies to grant
permission to the enclave (using the measurements generated by the
anjuna-nitro-cli build-enclave
tool).
PERMISSIONS
The anjuna-nitro-encrypt
requires the following AWS permissions for the current user/role performing the
operation:
-
WRITE
(i.e.s3:PutObject
) on the bucket specified by the--bucket-name
and--bucket-key
command-line parameters -
Encrypt
(i.ekms:Encrypt
) on the KMS key specified by the--cmk
command-line parameter.
OPTIONS
Usage: anjuna-nitro-encrypt [options] -b, --bucket-name string AWS S3 bucket to write the encrypted config to -k, --bucket-key string Key in bucket where the encrypted config is stored -i, --cmk string ID of the KMS CMK used to encrypt our data encryption key -c, --config string Plain text configuration file to encrypt
EXAMPLE
Replace the information on lines 1-4 for your environment:
$ AWS_CMK_ARN="<your-cmk>"
$ AWS_S3_BUCKET_NAME="<your-bucket>"
$ AWS_S3_BUCKET_KEY="<your-bucket-key>"
$ CONFIG_FILENAME="secure-data.yaml"
$ anjuna-nitro-encrypt \
--cmk "${AWS_CMK_ARN}" \
--bucket-name "${AWS_S3_BUCKET_NAME}"\
--bucket-key "${AWS_S3_BUCKET_KEY}" \
--config "${CONFIG_FILENAME}"