Configuring the Policy Manager

The Anjuna SGX Runtime can be configured to use the Anjuna Policy Manager for getting encryption keys by:

  • adding a policy_manager entry to the manifest.template.yaml

  • declaring keys in the manifest by giving each key an id, the path for accessing the key in the Anjuna Policy Manager, and a source: key_server entry that specifies the appropriate Anjuna Policy Manager server.

  • specifying the encrypted files that should be using those declared keys.

Add the policy_manager entry

This entry configures how the Anjuna SGX Runtime requests the encryption key from the Anjuna Policy Manager.

The following information is needed for configure this entry:

  • the socket name the Anjuna SGX Runtime should use to communicate with the Anjuna Policy Manager Broker.

  • the URL for connecting to the Anjuna Policy Manager Server

  • a PEM certificate that is used to verify the identity of the Anjuna Policy Manager

policy_manager:
  socket: apm-broker
  url: https:://apm-server.test:8201
  ca_cert: |
  -----BEGIN CERTIFICATE-----
  MIIEczCCA1ugAwIBAgIBADANBgkqhkiG9w0BAQQFAD..AkGA1U
The anjuna-policy-manager tool prints information that can be inserted in the manifest.template.yaml: 
$ anjuna-policy-manager server status --dev

Add the keys entry

This entry declares every encryption key that the Anjuna SGX Runtime fetches from the Anjuna Policy Manager Server.

keys:
  - id: id1
    source: key_server
    uri: anjuna://path-to-key1
  - id: id2
    source: key_server
    uri: anjuna://path-to-key2

id is an arbitrary name that can be used in the manifest to refer to a specific encryption key.

uri is a string that uniquely identifies the location of a secret. Currently, the scheme component of the uri MUST be anjuna. In other words, the uri must start with anjuna://. The path component of the uri is a path-like string that represents the location of the secret in the Anjuna Policy Manager. This is the same string that would be used in the anjuna-policy-manager tool to create and manage permissions to secrets.

There are no limits to the number of encryption keys that can be used in a manifest.

Specify the keys for encrypted files

The final step for configuring the Anjuna SGX Runtime is to specify which files should be automatically encrypted/decrypted with the encrypted_files entry, and which encryption key should be used for those files.

encrypted_files:
  - path: /path/to/file1
    key: id1
  - path: secret_data_*.db
    key: id2
The value of the key attribute MUST match one of the entries specified in the keys section above.

Running the application

Once the manifest has been modified with the correct entries, the Anjuna SGX Runtime automatically fetches the keys from the Anjuna Policy Manager Server before the application starts.

If an error occurs, the Anjuna SGX Runtime aborts launching the application.