By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Saving Encrypted Data in Nitro Enclave

0

Is it possible to save encrypted data from a Nitro Enclave? Here is my scenario:

After performing some computation, I want my service in the enclave to encrypt the data and store it somewhere (perhaps in S3). In the future, when the enclave is terminated and a new one is created, I want my new enclave to be able to retrieve the data from S3 and decrypt my data. Is this possible?

For this to work, the enclave will need a decryption key that only the enclave can have access to. I know that in Intel SGX, the manufacturer writes a special key directly into the chip so that nothing else can have access to it. I was wondering if the enclave have have access to a similar key on startup.

Perhaps there is another solution to store encrypted data that I haven't thought of. My team and I are debating whether to use S2 or Azure because securely saving data is a really important feature for us. Thank you for reading!

Topics
Security, Identity, & ComplianceStorage
Tags
AWS Key Management ServiceStorage
Language
English
rePost-User-3627145
asked a year ago652 views
2 Answers
0

here are some AWS docs that may be helpful:

Nitro Enclaves documentation: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html

S3 encryption documentation: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html

S3 server-side encryption with KMS documentation: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html

Using AWS KMS with Nitro Enclaves: https://aws.amazon.com/blogs/security/how-to-use-aws-key-management-service-with-nitro-enclaves-for-secure-data-processing/

AWS SDKs for encryption: https://aws.amazon.com/encryption/sdk/

Example code for using Nitro Enclaves with S3: https://github.com/aws-samples/aws-nitro-enclaves-samples/tree/main/s3-end-to-end-encryption

profile pictureAWS
nemf
answered a year ago
0

Yes this is possible, every Nitro Enclave at build time generates measurements PCR0, PCR1, PCR2 and optionally PCR8 (but highly recommended). PCR0 is a cryptographic measure of the entire enclave image file. So, in your case you would do something like the following.

  1. Store AWS KMS key encrypted data in Amazon S3 bucket.
  2. Build an enclave with your application that processes this sensitive data generating the PCR's and enclave image file (EIF).
  3. Capture the build time PCR0.
  4. Add a KMS key policy conditional to the key from step-1 that only allows decrypt from an enclave with the specific PCR0.
  5. In the example, where your current enclave terminates and a future enclave is spawned from the same EIF, it would be able to still decrypt the prior written data to S3. Highly encourage you to read through the PCR's and tighten down the conditional on the KMS key policy further to PCR3, so that you are not tied to particular EC2 instance. (If the usecase permits).
Sudhir
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content