anjuna-nitro-encrypt

Encrypt data using KMS and store it in an AWS S3 bucket or to a local file.

SYNOPSIS

anjuna-nitro-encrypt --cmk <key-id> --config <config file>
[--bucket-name <name> --bucket-key <key>] | [--output-file <output file>]

DESCRIPTION

The anjuna-nitro-encrypt tool provides the ability to securely encrypt secrets for AWS Nitro Enclaves. The Anjuna Nitro Runtime accesses the encrypted configuration file in the enclave either from an S3 bucket or a local file. The data is decrypted with AWS KMS (using a Nitro-generated attestation report). The secrets are then made available to the application running in the AWS Nitro Enclave as environment variables or files.

See Anjuna Nitro Enclave Configuration for a complete description of the file format used to specify the secrets.

The AWS Nitro-based EC2 instance, the AWS S3 bucket (when storing to S3), and the AWS KMS key MUST be in the same AWS Region.

You can specify the AWS KMS key by using any of the following attributes of the key:

  • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

  • Alias name: alias/nitro-kms-key

  • Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/nitro-kms-key

If the encrypted config is stored in an AWS S3 bucket, you MUST configure the enclave to download its secrets by setting the encryptedConfig.type field of the enclave configuration to s3. You MUST set the encryptedConfig.uri field to be to the same AWS S3 bucket specified by the --bucket-name and --bucket-key command-line parameters when encrypting the configuration file with anjuna-nitro-encrypt. You MAY invoke the anjuna-nitro-encrypt at any point before or after building the enclave, but you MUST invoke it before running the enclave.

After building the Enclave Image File, you MUST update the AWS KMS policies to grant permission to the enclave (using the measurements generated by the anjuna-nitro-cli build-enclave tool).

PERMISSIONS

anjuna-nitro-encrypt requires the following AWS permissions for the current user/role performing the operation:

  • Encrypt (i.e. kms:Encrypt) on the KMS key specified by the --cmk command-line parameter.

  • Write (i.e. s3:PutObject) on the bucket specified by the --bucket-name and --bucket-key command-line parameters (when storing secrets to AWS S3).

OPTIONS

Usage: anjuna-nitro-encrypt [options]
  -b, --bucket-name string   AWS S3 bucket to write the encrypted config to (mutually exclusive with -o)
  -k, --bucket-key string    Key in bucket where the encrypted config is stored (mutually exclusive with -o)
  -o, --output-file string   Local file where the encrypted data is stored (mutually exclusive with -b and -k)
  -i, --cmk string           ID of the KMS CMK used to encrypt our data encryption key
  -c, --config string        Plain text configuration file to encrypt

EXIT STATUS

  • 0 on success

  • 1 on error

EXAMPLES

The following example encrypts the config file secret-data.yaml and stores it to an AWS S3 bucket. Replace the information on lines 1-4 for your environment:

$ AWS_CMK_ARN="<your-cmk>"
$ AWS_S3_BUCKET_NAME="<your-bucket>"
$ AWS_S3_BUCKET_KEY="<your-bucket-key>"
$ CONFIG_FILENAME="secret-data.yaml"

$ anjuna-nitro-encrypt                   \
    --cmk "${AWS_CMK_ARN}"               \
    --bucket-name "${AWS_S3_BUCKET_NAME}"\
    --bucket-key "${AWS_S3_BUCKET_KEY}"  \
    --config "${CONFIG_FILENAME}"

The following example encrypts the config file secret-data.yaml and stores it to a local encrypted file encrypted-data.bin. Replace the information on lines 1-3 for your environment:

$ AWS_CMK_ARN="<your-cmk>"
$ OUTPUT_FILENAME="encrypted-data.bin"
$ CONFIG_FILENAME="secret-data.yaml"

$ anjuna-nitro-encrypt                   \
    --cmk "${AWS_CMK_ARN}"               \
    --output-file "${OUTPUT_FILENAME}"\
    --config "${CONFIG_FILENAME}"