Configuration

Last updated 11 months ago

Was this helpful?

Configuration

Intel SGX

Vault Setup

The setup process for Vault begins with the initialization of the operator, which emits unsealing key shares and a root access token. Once the operator is unsealed and logged in, the SGX authentication plugin is registered and loaded. This step needs to be performed only once.

To ensure compatibility with our premain, we apply the example configuration to the vault during setup. This includes the following one-time steps:

Enabling the SGX authentication plugin at sgx-auth.
Configuring the PKI engine at sgx-pki.
Registering the KVv2 secrets at sgx-app.
Creating client certificates for external access.

To register an enclave based on its measurement, the following steps are performed for each enclave:

Creating a user with a name and measurement at sgx-auth.
Allowing certificate issuance for the specified name at sgx-pki.
Storing secrets for the specified name at sgx-app.
Creating access policies for a role specific to the name.

The provided name is used to issue a token for the role, granting access to the PKI and secrets through the defined policy.

All of these steps are performed using only the vault client.

PKI Configuration

The PKI configuration at sgx-pki consists of an intermediate CA that is signed by another PKI at sgx-pki-root. Both PKIs are configured with CRL (Certificate Revocation List) distribution endpoints within the cluster domain. This setup allows easy rotation of the PKI infrastructure if critical security issues are discovered that could potentially expose issued certificates within the vault or a service.

Unlike the temporary certificate used solely for interacting with the Vault API, this PKI is persisted using integrated data sealing and remains intact even after a reboot.

Secrets Configuration

Our premain currently supports three types of secrets to ensure compatibility with various applications:

Environment variables

environment represented as a map of strings to strings.

Command-line arguments

argv represented as an array of strings.

Secrets stored in files

files represented as a map of paths to base64-encoded content.

These secrets can be uploaded in a JSON string format.

Premain Interaction with Vault

The premain interacts with the vault using the vault software library for communication. Upon successful authentication, it requests secrets for its configured name and a certificate with a private key for its service domain name. Before provisioning, which involves executing the application with additional arguments, the TLS configuration is stored under /secrets/tmp along with the cluster PKI CA.

TLS-Credential Distribution

All attested applications within the cluster share the same CA, allowing them to securely communicate with each other unless the CA has been rotated. This enables full mutual TLS within the entire cluster at the application level.

The external client certificates generated during setup or after a PKI rotation can be utilized to directly access a service or set up a reverse proxy outside the cluster, facilitating conventional TLS-based access to the service.