Deploy the Anjuna Policy Manager and create secrets

Start the Confidential Container

The final step in the Anjuna Policy Manager (APM) server deployment is to create the server instance by running the following command:

The instance create command will take a few minutes to complete. 
$ anjuna-gcp-cli instance create "${APM_SERVER_INSTANCE}" \
    --image "${APM_SERVER_IMAGE}" \
    --machine "n2d-standard-2" \
    --network "${NETWORK_NAME}" \
    --subnet "${SUBNET_NAME}" \
    --zone "${GCP_ZONE}" \
    --service-account "${SERVICE_ACCOUNT_EMAIL}" \
    --scopes https://www.googleapis.com/auth/compute,https://www.googleapis.com/auth/devstorage.read_write,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/cloudkms

Once the server instance has been created, the public IP address can be stored to an environment variable on the admin host and displayed using the following commands:

$ export APM_SERVER_IP=$(gcloud compute instances describe "${APM_SERVER_INSTANCE}" \
    --format='get(networkInterfaces[0].accessConfigs[0].natIP)' --zone "${GCP_ZONE}")
$ echo "${APM_SERVER_IP}"

Server hostname resolution

If you are using a fully-qualified domain name for your APM server, you need to make an update for the domain name. Update the DNS A record for the domain name to point to the public IP (the value of $APM_SERVER_IP) of the APM server instance that you created in the previous step.

If you are not using a fully-qualified domain name for your APM server, add an entry to your administration computer /etc/hosts file. This will resolve the GCP Internal DNS hostname to the public IP of your server. Run the following command, which will add the line to your /etc/hosts file:

$ echo "${APM_SERVER_IP}    ${APM_SERVER_HOST}" | sudo tee -a /etc/hosts

Set up the CLI tools for managing the Anjuna Policy Manager

The Anjuna CLI for SEV on GCP includes two programs, anjuna-policy-manager-server and anjuna-policy-manager, which are used to manage the APM.

The anjuna-policy-manager-server program will be used for one-time initialization of the APM server.

The anjuna-policy-manager program is used for managing secrets and authorization policies for enclaves.

anjuna-policy-manager-server CLI settings

The anjuna-policy-manager-server program is used for one time initialization of auto-unsealing and GCP storage. This requires that the TLS certificate that was used for the TLS configuration section be copied to apm-on-gcp/tls-cert.pem and that some connection settings are defined. These can be set as environment variables with the following commands from within the apm-on-gcp directory:

$ export VAULT_ADDR="https://${APM_SERVER_HOST}:8200"
$ export VAULT_CACERT="$(pwd)/tls-cert.pem"

Check the Anjuna Policy Manager server status

Now you can check the status of the APM server with the following command:

$ anjuna-policy-manager-server status

Initialize the APM server

The first time the APM boots, the unsealing key, client enclave authentication, and key-value storage need to be initialized from the administration computer. These operations only need to be performed once.

Initialize unsealing key

Run the following command to initialize the encrypted storage bucket and unsealing key, and generate the root token:

$ anjuna-policy-manager-server operator init

The output from this command should be saved in a secure manner. It contains the recovery keys and root token.

The root token is required in subsequent administration commands for creating and managing secrets and should be assigned to an environment variable with this command (replace <ROOT_TOKEN> with the value output from the previous command):

$ export VAULT_TOKEN="<ROOT_TOKEN>"

Enable client enclave authentication

Run the following command to activate APM authentication of client enclaves:

$ anjuna-policy-manager-server auth enable apm

Enable key-value storage engine

This guide uses the key-value storage engine of the APM server. After creating the server instance, this storage engine must be activated. Run the following command to execute this one time operation:

$ anjuna-policy-manager-server secrets enable --path anjuna kv

Create secrets

Configure anjuna-policy-manager CLI settings

The anjuna-policy-manager-server program is used for managing secrets and authorization policies for enclaves.

Run the following commands to define additional environment variables required to connect to the server:

$ export ANJUNA_ADDR="https://${APM_SERVER_HOST}:8200"
$ export ANJUNA_CACERT="$(pwd)/tls-cert.pem"
$ export ANJUNA_TOKEN="${VAULT_TOKEN}"

Creating secrets

The example commands below will create the two secrets needed for the Client enclave config file. Replace the following fields with the desired values:

  • apm-path/to/secret-env - The path to an example environment variable secret (the key portion of the key-value pair)

  • SecretEnvValue - The value of the environment variable

  • apm-path/to/secret-file - The path to an example file secret (the key portion of the key-value pair)

  • SecretFileValue - The path to the secrets file to store in the APM

anjuna-policy-manager secret create \
    apm-path/to/secret-env \
    --value=SecretEnvValue
anjuna-policy-manager secret create \
    apm-path/to/secret-file \
    --value="$(cat SecretFileValue)"
The secret file should be in ASCII/base64 format.

Authorizing enclaves to access secrets

Individual enclaves can be granted access to secrets using their enclave IDs. But you do not know the enclave ID until you build an enclave, so you will first configure and build a client enclave.