Vault Remote Attestation Plug-In

The confidential computing relies on the vault for key management, effectively reducing the burden of managing keys and minimizing the potential attack surface in case of key compromise. The vault offers a secure and persistent storage backend that the administrator can configure. It is a repository for sensitive information, including data encryption keys, TLS Root-CAs, and external credentials.

There are multiple approaches to implementing the vault concept, all of which share the core functionality of verifying the container's integrity before provisioning secrets (such as generated or configured secrets) and TLS credentials issued by a key management certificate authority (CA). Some alternative approaches utilize standalone software that typically offers only the basic functionality mentioned above. These solutions may be relatively obscure, requiring initial training to comprehend the setup, tools, syntax, limitations, potential sources of errors, and real-world deployment.

In contrast, Enclaive's vault leverages an enclaved version of HashiCorp Vault to ensure secure key storage, enterprise-ready access control, and also augments the system with the provisioning of an attested public key infrastructure (PKI). Moreover, the vault integrates with hardware security modules (HSMs) and identity management systems (IMSs). This tool is well-known, open-source, and has a proven track record in the field.

To enable the hardware secure enclave capabilities in HashiCorp Vault, an attestation/provisioning plugin is necessary. We avoid implementing vault functionality within our attestation software by employing this plugin. Instead, we focus on attestation access control for pre-existing software. This approach significantly reduces the barrier to entry for utilizing enclaved applications, allows for a mixed-use environment with both enclaved and legacy applications within a cluster, and enhances security by relying on widely used, regularly maintained open-source code.