Introduction

Confidential VM (CVM) technology such as Microsoft Azure CVM and Google Cloud Platform (GCP) CVM provides a way to run applications in a virtual machine on AMD Secure Encrypted Virtualization (SEV) systems. This enables application developers to use hardware-accelerated memory encryption for data-in-use to prevent access to the memory and CPU of the running applications.

Using the Anjuna Seaglass Platform, you can create an Anjuna Confidential Container, which augments the architecture provided by the cloud service provider. The Anjuna Confidential Container securely runs an existing containerized application in an Azure CVM or GCP CVM, including securely distributing secrets to that application. No application changes are required.

In this document, you will learn about using the Anjuna CLI for SEV to build and run an Anjuna Confidential Container.

About this document

This guide is structured as follows:

  • Quickstart guide for the Anjuna Confidential Container explains how to obtain and set up the Anjuna CLI for SEV. It walks you through using the Anjuna CLI to create and run an Anjuna Confidential Container, which is protected by a secure enclave.

  • Advanced topics delves into attestation and secrets management.

  • The Command reference is a reference to the command-line tools distributed with the Anjuna software.

  • The Configuration reference explains the configuration options used to control the behavior of the Anjuna Confidential Container.

  • Troubleshooting addresses possible warnings or errors you might encounter while using the Anjuna tools.

Document conventions

This section describes typographical and other conventions used in this guide.

Text colored like this is a link to another document, either in this guide or elsewhere on the web.

Throughout the documentation, data sizes are based on powers of two: 1 MB = 1 MiB = 1024 bytes, and 1 GB = 1 GiB = 1048576 bytes.

Text in monospace type represents text that appears in a terminal or in the filesystem of a host. Commands, file names, and example code are shown in monospace type.

A block of text in monospace type represents an interaction with a host’s shell in the terminal, or the text of a file:

This block of text is an example of monospace type used to illustrate the contents of a file.

Some code blocks are shortened to emphasize only the relevant configuration. A line with <snip>…​ indicates that some lines have been removed from the full configuration.

The following text illustrates the appearance of a command in a terminal shell. You can copy the text by hovering over it and clicking on the clipboard icon to the right.

$ ls -al

Text in <angle brackets> in examples stands for text to be replaced.

For example, in this text:

/home/<username>/.bashrc

replace <username> with an actual username.