Running the AWS Nitro Enclave to access the KMS encrypted secret

In the previous sections, you:

  • Created an AWS KMS key

  • Encrypted some data with it

  • Built and measured an AWS Nitro Enclave that will attempt to decrypt the data using the AWS Nitro Attestation process

  • Updated the policy attached to the AWS KMS key to authorize this specific AWS Nitro Enclave to decrypt data

It is now time to run the AWS Nitro Enclave and verify that it will present a Signed attestation report to decrypt the data.

First, run the following command to start the Anjuna Nitro Network Proxy for the enclave:

$ anjuna-nitro-netd-parent --enclave-name nitro-kms --daemonize

Finally, start and view the console output of the AWS Nitro Enclave.

  • Encrypted secrets in AWS S3

  • Encrypted secrets in a local file

If the encrypted secrets are stored in AWS S3, run the following command:

$ anjuna-nitro-cli run-enclave \
    --enclave-name nitro-kms \
    --cpu-count 2 \
    --memory 4096 \
    --eif-path nitro-kms.eif \
    --debug-mode \
    --attach-console

If the encrypted secrets are, however, stored in a local file, run the following command. Ensure that the value of $ENCRYPTED_CONFIG is correctly set according to the previous sections:

$ anjuna-nitro-cli run-enclave \
    --enclave-name nitro-kms \
    --cpu-count 2 \
    --memory 4096 \
    --eif-path nitro-kms.eif \
    --encrypted-config $ENCRYPTED_CONFIG \
    --debug-mode \
    --attach-console
The number of vCPU cores must be an even number due to hyperthreading.

The command should produce some output and display the original content of the secrets file.

To see the enclave output (using the anjuna-nitro-cli console command), you MUST run the enclave in debug mode. In a typical use case scenario, the enclave will never print the content of the secrets.