Anjuna Policy Manager runtime configuration

The Anjuna SGX Runtime uses a configuration manifest that specifies the behavior of an application when running in an enclave. This page describes the configuration entries that are used to configure the Anjuna SGX Runtime to work with the Anjuna Policy Manager.

See the Configuration reference for a full description of all supported entries in the Anjuna Runtime manifest.

Manifest reference

policy_manager

The configuration of the connection to the Anjuna Policy Manager. You must provide values for the socket, url, and ca_cert fields. These values tell the Anjuna SGX Runtime how to communicate with the correct Anjuna Policy Manager.

To ensure that the communication with the Anjuna Policy Manager is secure, connections to it use TLS (the url entry must start with https://). The ca_cert value should be the PEM-encoded public-key of the Anjuna Policy Manager, which allows the Anjuna SGX Runtime to validate the identity of the Anjuna Policy Manager server.

policy_manager:
  socket: apm-broker
  url: https://apm-server.test:8201
  ca_cert: |
  -----BEGIN CERTIFICATE-----
  MIIEczCCA1ugAwIBAgIBADANBgkqhkiG9w0BAQQFAD..AkGA1U

  • socket: the name of the abstract domain socket on which the Anjuna Policy Manager Broker listens for connections. It is recommended to use apm-broker in most cases, which is the default domain socket name that the Anjuna Policy Manager Broker uses.

  • url: the URL of the Policy Manager instance.

  • cacert: Secure (HTTPS) connection to the Policy Manager requires pinning the PEM-encoded CA certificate ca_cert attesting the Policy Manager TLS certificate.

keys

Defines encryption keys that are matched with references in encrypted_files entry. Keys are declared and referenced throughout the manifest by their id; the origin and path of each key is derived from the uri and the engine.

keys:
  - id: db_key
    source: key_server
    uri: anjuna://keys/database_key
    engine: anjuna

Keys stored in the Anjuna Policy Manager have anjuna://<path> URIs. All keys are retrieved from the Anjuna Policy Manager by Anjuna SGX Runtime on startup.

encrypted_files

Files matching the patterns listed as encrypted_files are automatically encrypted by the Anjuna SGX Runtime when the application interacts with them.

encrypted_files:
  - path: /path/to/file1
    key: file1_encryption_key
  - path: secret_data_*.db
    key: db_key

For each pattern an encryption key should be referenced by its id; see the keys entry for additional information.