Running the AWS Nitro Enclave to Access the KMS Encrypted Secret
In the previous sections, you:
-
created an AWS KMS key
-
encrypted some data with it
-
built and measured an AWS Nitro Enclave that will attempt to decrypt the data using the AWS Nitro Attestation process
-
updated the policy attached to the AWS KMS key to authorize this specific AWS Nitro Enclave to decrypt data
It is now time to run the AWS Nitro Enclave and verify that it will present a Signed Attestation Document to decrypt the data.
Run the following commands to start and view the console output of the AWS Nitro Enclave:
$ anjuna-nitro-cli run-enclave --cpu-count 2 --memory 4096 --eif-path nitro-kms.eif --debug-mode
$ anjuna-nitro-cli console --enclave-id $(anjuna-nitro-cli describe-enclaves | jq -r .[0].EnclaveID)
The number of vCPU cores must be an even number due to hyperthreading. |
The command should produce some output and display the original content of the secrets file.
To see the enclave output (using the anjuna-nitro-cli console command), you MUST run the enclave
in debug mode. In a typical use case scenario, the enclave will never print the content of the
secrets.
|