Remote attestation

The Anjuna Nitro Runtime integrates with AWS KMS and (optionally) AWS S3 to securely provide secrets to Anjuna Nitro Enclaves at boot time. For example, your application may need access to database credentials or a TLS certificate. The boot-time secrets functionality can automatically retrieve these secrets by using remote attestation to authenticate to KMS. This ensures that no one else can access those secrets.

For more information, see Providing secrets to the AWS Nitro Enclave.

The Anjuna Nitro Runtime exposes an internal HTTP endpoint, only accessible from within an Anjuna Nitro Enclave, for generating attestation reports. This can be used to prove that a trusted Anjuna Nitro Enclave produced certain data, and to prevent replay attacks.

For example, a machine learning (ML) application can embed its inference result (or a hash of the result) in an attestation report. The client can verify that attestation report to confirm that a trusted application running in an enclave generated the result.

Your application can generate attestation reports using a Go library, or by using the HTTP endpoint directly:

A client can use the Go library to verify the resulting attestation report to confirm the authenticity of the enclave and the application-provided user data.

For more information on the Attestation Endpoint and example code, see Github: anjuna-security/go-nitro-attestation.