Manage secrets
Now that you know the Enclave ID and Signer ID (PCR16
) of the enclave,
you can authorize the enclave to access secrets.
This section explains how to authorize enclaves based on both Enclave ID
and Signer ID, or only Signer ID.
You only need to run one of the code blocks below.
Enclave authorization
Individual enclaves can be granted access to secrets using their enclave IDs. The example commands below will authorize an enclave to access the two secrets that were defined in the example in the previous section, Client enclave config file.
Replace the following fields with the desired values:
-
<apm-path/to/secret-env>
- The path to an environment secret -
<apm-path/to/secret-file>
- The path to a file secret
${ENCLAVE_ID}
and ${SIGNER_ID}
will use the environment values set in the previous section,
Build client disk image.
To find the Enclave ID and Signer ID for a given disk image,
follow the instructions in
Disk image PCR values.
$ anjuna-policy-manager authorize enclave \
--enclave "${ENCLAVE_ID#0x}" \
--signer "${SIGNER_ID#0x}" \
<apm-path/to/secret-env>
$ anjuna-policy-manager authorize enclave \
--enclave "${ENCLAVE_ID#0x}" \
--signer "${SIGNER_ID#0x}" \
<apm-path/to/secret-file>
Enclave signer authorization
Alternatively, you can grant access to a secret for any enclave that is signed with a particular signing key. The example commands below will authorize enclaves with a given signer ID to access the two secrets defined in the example in the Client enclave config file section.
Replace the following fields with the desired values:
-
<apm-path/to/secret-env>
- The path to an environment secret -
<apm-path/to/secret-file>
- The path to a file secret
${SIGNER_ID}
will use the environment values set in
Build client disk image.
You can also view the values for a given disk image by following the instructions in
Disk image PCR values.
$ anjuna-policy-manager authorize signer \
--signer "${SIGNER_ID#0x}" \
<apm-path/to/secret-env>
$ anjuna-policy-manager authorize signer \
--signer "${SIGNER_ID#0x}" \
<apm-path/to/secret-file>