Configuring automatic encryption

A common scenario for server applications is one in which a client sends some input data to be processed, and the server returns resulting output data. If the returned output is sensitive in nature, it is best to protect it against eavesdropping. This section shows how to configure the Anjuna SGX Runtime to protect sensitive output data by encrypting it so that only the intended recipient can read it.

Ensure you have the needed tools

You will need to have the ffmpeg tool installed on your system to follow the instructions in this section. On an Ubuntu system you can install ffmpeg by running the following command:

$ sudo apt install ffmpeg

You will also need openssl to create the encryption keys that you will use to protect the example data. You can install openssl using the following command:

$ sudo apt install openssl

Obtaining the example data

You will use the ffmpeg tool to process video data and return it to a client. To do so, you will need some video data to process. You can fetch an example video file from here.

Click the link to download the example file, or run the following command to fetch it to your working directory:

$ wget https://s3-us-west-2.amazonaws.com/tutorial.sample.video/dogsleep.mp4

Create a key pair

You will configure the Anjuna SGX Runtime to automatically encrypt video data using a public key. You can then decrypt the file with the corresponding private key, which you will keep secret.

Start by creating a public-private key pair using openssl:

$ openssl genrsa -out client_private_key.pem
$ openssl rsa -in client_private_key.pem -pubout -out client_public_key.pem

Create and edit the manifest template

Next, use anjuna-sgxrun to generate a manifest template:

$ anjuna-sgxrun --setup ffmpeg

anjuna-sgxrun creates the file ffmpeg.manifest.template.yaml, which you will edit to configure the secure enclave.

To configure the Anjuna SGX Runtime to automatically encrypt the input and output of the ffmpeg tool, you must tell it what files to process and what keys to use. Edit the file ffmpeg.manifest.template.yaml and add the entries shown here:

keys:
- id: input_mp4_key
  source: enclave_generated
- id: output_rsa_key
  source: RSA
  value: |
    <PASTE PUBLIC KEY HERE>

encrypted_files:
- path: dogsleep.mp4
  key: input_mp4_key
- path: dogsleep.mpeg
  key: output_rsa_key

Replace the text <PASTE PUBLIC KEY HERE> with the text of the public key that you generated in the previous section. You can format the text correctly for the manifest entry using the following command:

$ pr -to 4 client_public_key.pem

Then copy the output of the command to the clipboard and paste it into the ffmpeg.manifest.template.yaml file in place of the text <PASTE PUBLIC KEY HERE>.

Create the enclave keys

Now, create an enclave key pair by running the following command:

$ anjuna-sgxrun --provision ffmpeg

The command creates three files:

`provision/ffmpeg.pubkey`	The secure enclave’s public key
`provision/ffmpeg.key.sealed`	The secure enclave’s private key, encrypted so that only the enclave can decrypt it
`provision/ffmpeg.quote.bin`	An attestation quote that enables you to verify that the public key matches the secure enclave

You can use the public key, provision/ffmpeg.pubkey, to encrypt a file so that the only process that can read it is ffmpeg running in the secure enclave. The secure enclave uses provision/ffmpeg.key.sealed to decrypt this file, and the key is itself encrypted so that no process running outside the secure enclave can read it.

A client can use the attestation quote to verify that the public key matches the secure enclave by running the following command:

$ anjuna-check-attestation --quote-file provision/ffmpeg.quote.bin provision/ffmpeg.pubkey

The tool’s output indicates whether the provided key correctly matches the quote file’s enclave.

Having verified the public key, you can now use it to encrypt the example video file. Encrypt the video by running the following command:

$ anjuna-encrypt --public-key provision/ffmpeg.pubkey dogsleep.mp4

anjuna-encrypt creates the file dogsleep.mp4.sealed, containing the encrypted contents of dogsleep.mp4. You can now delete the original dogsleep.mp4 and rename dogsleep.mp4.sealed to dogsleep.mp4. At this point, dogsleep.mp4 contains the encrypted contents of the original dogsleep.mp4. Its decrypted data is completely inaccessible to any process or client, except for ffmpeg running inside the secure enclave.

You can check whether the file has been encrypted by anjuna-encrypt by running the following command:

$ hexdump -C -n 100 dogsleep.mp4

The contents of a file encrypted by anjuna-encrypt start with the text ANJUNAFS.

Convert the video

You can now use ffmpeg, running inside the secure enclave, to convert the mp4 file to mpeg:

$ anjuna-sgxrun ffmpeg -i dogsleep.mp4 dogsleep.mpeg

ffmpeg reads the mp4 file, automatically decrypted by the secure enclave, thanks to the configuration you prepared, and generates the encrypted output file, dogsleep.mpeg. Once again, you can confirm that the output file is encrypted by the Anjuna SGX Runtime by running the following command:

$ hexdump -C -n 100 dogsleep.mpeg

Because you configured the Anjuna SGX Runtime to encrypt its output with the public key that you created with openssl, you can now use the corresponding private key to decrypt it:

$ anjuna-decrypt --key-file client_private_key.pem dogsleep.mpeg

The output of anjuna-decrypt is an mpeg file named dogsleep.mpeg.decrypted. Rename it to dogsleep.mpeg, and you can use an mpeg player application to view it.