Advanced: The Anjuna Policy Manager
The Anjuna Policy Manager enables a secret store to control access to secrets based on an application’s identity. It solves the problem of secure initial secret management.
While secrets are encrypted in-use with confidential computing, the application will always need an initial secret which is available when it starts. That secret resides on the filesystem. For example, an application server needs a private key and certificate to encrypt and decrypt TLS data. Even if these are stored in a key management system (KMS), the application needs a secret to authenticate to the KMS first.
Securing these secrets is challenging because they are available on the filesystem of the application server. If an attacker has access to the server, they can steal the secrets and use them to exfiltrate sensitive data. The loss of data can lead to violations of user privacy, reputational harm for the business, and even regulatory penalties.
Confidential computing provides a powerful, unique, and automated way to eliminate the risks of secret management. Secure enclave hardware can generate an Attestation Quote, which cryptographically proves that a particular application is running in an enclave. Unlike a secret token stored in a file or environment variable, it cannot be used by an attacker even if stolen - it is like a biometric with liveness detection, instead of a password.
| For more details on the Attestation Quote, see Identifying the software in Intel® SGX. |
The Attestation Quote is used to prove an application’s identity to the Anjuna Policy Manager. When the application running in the enclave starts, the Anjuna SGX Runtime will authenticate to the Anjuna Policy Manager with the enclave’s Attestation Quote. After fetching the application’s secrets, the Anjuna SGX Runtime will transparently make them available to the application running in the enclave.
An attacker cannot gain access to the secrets in the Anjuna Policy Manager because they cannot prove their identity with a valid Attestation Quote. In addition, because the enclave’s memory is encrypted in-use by the CPU, the secrets fetched from the Anjuna Policy Manager are now protected from attackers, even if they have access to the server. With the Anjuna Policy Manager, it is now possible to securely manage secrets.
This section explains how to deploy, configure, and use the Anjuna Policy Manager with the Anjuna SGX Runtime.