# Attestation

<figure><img src="https://lh4.googleusercontent.com/N_9loaQdpOaxn62aFzSoWXFHOyWUTSafMzmqyAAtTbWUo-0XL2IxeL9cyVY5CAIYLF4d54kCcBT2EbfCDCrF4HEKJii6mRCLtfnc6zLRZGG4E1Fs6HHzpFZ12x9g-hKRZIQljAgtc1uuYDKibkik9S8" alt=""><figcaption><p>Confidential Container Attestation Workflow</p></figcaption></figure>

Once the example configuration of vault engines for TLS and custom secrets provisioning is applied, starting an enclaved application becomes a straightforward process involving just three steps in the premain to prepare the environment and the filesystem.

Each application possesses a unique name, such as `enclaive-redis-sgx`, and generates an attestation for its self-signed certificate, which exclusively serves client authentication to the vault server.

The plugin searches for the required measurement using the provided application name when an authentication request is received. After confirming the quote's authenticity, the attested measurement and the user-supplied report data are compared against the expected measurement and the hash of the client certificate used in the request.

If all the checks pass, the client is granted a temporary token that allows access to a KVv2 secret associated with its attested name. Additionally, the client receives certificate issuance for its name subdomain within the cluster service domain.

To maintain the confidentiality of the access token, the client engages in peer certificate pinning following the authentication process. Since this logic is also included in the measurement, the coordinator can provide attestation that the application will not inadvertently expose this secret.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/confidential-cloud/technology-in-depth/intel-sgx/vault-remote-attestation-plug-in/attestation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.