anjuna-nitro-encrypt

Encrypt data using KMS and store it in an AWS S3 bucket.

SYNOPSIS

anjuna-nitro-encrypt --bucket-name <name> --bucket-key <key> --cmk <key-id> --config <config file>

DESCRIPTION

The anjuna-nitro-encrypt tool provides the ability to securely encrypt secrets for AWS Nitro Enclaves. The Anjuna Nitro Runtime transparently downloads the encrypted secrets from the specified S3 bucket, decrypts them using AWS KMS (using a Nitro-generated attestation document), and makes them available to the application running in the AWS Nitro Enclave as environment variables or files.

See Anjuna Nitro Enclave Configuration for a complete description of the file format used to specify the secrets.

The AWS Nitro-based EC2 instance, the AWS S3 bucket, and the AWS KMS key MUST be in the same AWS Region.

You can specify the AWS KMS key by using any of the following attributes of the key:

  • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

  • Alias name: alias/nitro-kms-key

  • Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/nitro-kms-key

When building the Enclave Image File, you MUST configure the enclave to download its secrets from the same AWS S3 bucket specified by the --bucket-name and --bucket-key command-line parameters.

After building the Enclave Image File, you MUST update the AWS KMS policies to grant permission to the enclave (using the measurements generated by the anjuna-nitro-cli build-enclave tool).

PERMISSIONS

The anjuna-nitro-encrypt requires the following AWS permissions for the current user/role performing the operation:

  • WRITE (i.e. s3:PutObject) on the bucket specified by the --bucket-name and --bucket-key command-line parameters

  • Encrypt (i.e kms:Encrypt) on the KMS key specified by the --cmk command-line parameter.

OPTIONS

Usage: anjuna-nitro-encrypt [options]
  -b, --bucket-name string   AWS S3 bucket to write the encrypted config to
  -k, --bucket-key string    Key in bucket where the encrypted config is stored
  -i, --cmk string           ID of the KMS CMK used to encrypt our data encryption key
  -c, --config string        Plain text configuration file to encrypt

EXIT STATUS

  • 0 on success

  • 1 on error

EXAMPLE

Replace the information on lines 1-4 for your environment:

$ AWS_CMK_ARN="<your-cmk>"
$ AWS_S3_BUCKET_NAME="<your-bucket>"
$ AWS_S3_BUCKET_KEY="<your-bucket-key>"
$ CONFIG_FILENAME="secure-data.yaml"

$ anjuna-nitro-encrypt                   \
    --cmk "${AWS_CMK_ARN}"               \
    --bucket-name "${AWS_S3_BUCKET_NAME}"\
    --bucket-key "${AWS_S3_BUCKET_KEY}"  \
    --config "${CONFIG_FILENAME}"