# Secret Key Provisioning A secure secret key provisioning protocol is employed when an enclave needs to receive secret keys that cannot be sealed for persistence but instead need to be installed into the enclave. It is important to note that an enclave program resides on the host, and including any secrets such as TLS certificates' private keys or environment variables containing admin passwords directly in the program package or file system is not recommended. Considering the threat model where adversaries have control over the host, it must be assumed that they can access the program and potentially reverse-engineer the secrets. Suppose the secret keys are encrypted using AES256-bit encryption and loaded into the enclave. The next step is to establish a mechanism to securely provision the decryption keys into the enclave. The provisioning protocol incorporates concepts from secure channel protocols like TLS, combined with remote authentication (RA). The protocol operates between enclave A and a relying party B, following these steps: 1. Enclave A initiates an RA-TLS channel with the relying party. The enclave sends a certificate containing a remote attestation quote through this channel. 2. The relying party verifies the remote attestation quote received from enclave A. Upon successful verification, indicating the integrity and authenticity of the enclave, the relying party proceeds with the provisioning process. 3. Using the secure TLS channel established in Step 1, the relying party securely transfers the provisioned secret keys to enclave A. It is worth mentioning that variations of the protocol may require performing remote attestation of the relying party as well, ensuring mutual authentication between enclaves. By employing this secure secret key provisioning protocol, enclaves can receive the necessary decryption keys in a protected manner, mitigating the risks associated with exposing sensitive secrets to potential adversaries who control the host environment. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enclaive.cloud/confidential-cloud/technology-in-depth/intel-sgx/technology/concepts/secret-key-provisioning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.