Encrypting and decrypting files

Most non-trivial applications work with files as inputs, or outputs, or both. These files are one of the first places an attacker looks for sensitive data. The Anjuna SGX Runtime provides features that make the files unreadable to attackers, even when they have privileged access to the host.

This section shows how to use the Anjuna SGX Runtime tools to encrypt and decrypt sensitive files.

Encrypt an input file

This section shows how to encrypt a file input to an application so that it is unreadable by any process except an application protected by the Anjuna SGX Runtime.

Begin by creating an HTML file named index.html with the following contents:

<html>
  <body>
    Hello from Anjuna!
  </body>
</html>

You will serve this HTML file from a simple web server protected by the Anjuna SGX Runtime. The web server is provided as part of the Python 3 standard library. You will create a manifest template for Python 3 so that you can run it with the protection of a secure enclave.

Create the manifest template by running the following command:

$ anjuna-sgxrun --setup python3

Next, you will encrypt index.html with the Anjuna tools so that only the web server process running in the secure enclave can read it. In order to configure the secure enclave to decrypt the file automatically, you must add its absolute path to the encrypted_files section of the manifest template.

Edit python3.manifest.template.yaml, the manifest template file. Find the keys and encrypted_files keys and add the following entries:

keys:
- id: html_encryption
  source: enclave_generated

encrypted_files:
- path: $PWD/index.html
  key: html_encryption

Replace the $PWD with the absolute path to your current working directory. To do so, you can run this envsubst command:

$ envsubst '$PWD' < python3.manifest.template.yaml > python3.manifest.template.yaml.tmp
$ mv python3.manifest.template.yaml.tmp python3.manifest.template.yaml

Now, create an enclave key pair by running the following command:

$ anjuna-sgxrun --provision python3

The command creates three files:

`provision/python3.pubkey`	The secure enclave’s public key
`provision/python3.key.sealed`	The secure enclave’s private key, encrypted so that only the enclave can decrypt it
`provision/python3.quote.bin`	An attestation quote that enables you to verify that the public key matches the secure enclave

You can give the public key and the attestation quote to any client that needs to encrypt files to be used by the protected web server. For example, soon you will encrypt index.html, making it unreadable to any process other than the protected Python 3 process running in the secure enclave.

A client can use the attestation quote to verify that the public key matches the secure enclave by running the following command:

$ anjuna-check-attestation --quote-file provision/python3.quote.bin provision/python3.pubkey

The tool’s output indicates whether the provided key correctly matches the quote file’s enclave.

Having verified the correctness of the public key, you can use it to encrypt index.html for the secure enclave that you configured for Python 3. Encrypt it by running the following command:

$ anjuna-encrypt --public-key provision/python3.pubkey index.html

anjuna-encrypt creates the file index.html.sealed, containing the encrypted contents of index.html. You can now delete the original index.html and rename index.html.sealed to index.html. At this point, index.html contains the encrypted contents of the original index.html. Its decrypted cleartext is completely inaccessible to any process or client, except for Python 3 running inside the secure enclave.

You can check whether the file has been encrypted by anjuna-encrypt by running the following command:

$ hexdump -C index.html

The contents of a file encrypted by anjuna-encrypt start with the text ANJUNAFS.

Serve the encrypted file

You can serve the encrypted index.html by running Python’s built-in web server in the directory that contains the encrypted file.

Run the following command:

$ anjuna-sgxrun python3 -m http.server 8000

While the Python web server runs, use a browser on the same host to visit the URL http://localhost:8000. You should see a page that displays the text "Hello from Anjuna!". The Python web server can read the contents of the encrypted index.html because you have configured the secure enclave to decrypt it automatically. No other process, regardless of what privileges it may have on the host, can read the contents of index.html.