In this tutorial, we'll generate SSH secrets that we'll use to connect to our Azure VM via SSH.
Create a template
The first step will be to create a template for VM. You can refer to the tutorial for a better understanding of how to do this.
Create a namespace
The second step will be to create a namespace. This is a mandatory requirement for creating attestation. You can learn how to create and use namespaces in the .
Create dkv-v2 engines
The third step is to create two engines. The first is called "vm-auth", where we'll store the SSH secrets. The second engine is called "buckypaper", where we will store the description key.
At this stage, we will create an Azure VM from the DC2as_v5 family with the Ubuntu 20_04-lts-cvm operating system version, as it supports confidential VMs.
When creating the VM, you should also include cloud-init. The configuration for cloud-init is shown below.
ENV
Description
Value
ENCLAIVE_PROTOCOL
sev-snp
ENCLAIVE_SOURCE
The provider name that we specified during the measurement creation.
azure
ENCALIVE_INSTANCE
The "instance" field that we obtained during the attestation creation.
77255d88-754c-42a3-954f-58fb86bf48a5
ENCALIVE_RESOURCE
Virtual machine name
azure-vm
ENCALIVE_NITRIDE
Nitride URL
http://localhost:8200
ENCALIVE_KEYSTORE
Vault URL
http://localhost:8200
ENCLAIVE_FEATURES
The path from which secrets are added to the VM for a particular user.
method:user:secret:name
In the ENCLAVE_FEATURES variable, "method" can be either "ssh-key" or "ssh-pw", "user" is the scope in which the secrets are stored, "secret" is the name under which we store the secret, and "name" is the username to which the keys are added. We need to set which method for SSH connection will be added for the user.
At this stage, we will create an AWS EC2 from the M6a family with the Ubuntu 23.04 operating system version, as it supports confidential VMs.
When creating the VM, you should also include cloud-init. The configuration for cloud-init is shown below.
ENV
Description
Value
ENCLAIVE_PROTOCOL
sev-snp
ENCLAIVE_SOURCE
The provider name that we specified during the measurement creation.
aws
ENCALIVE_INSTANCE
The "instance" field that we obtained during the attestation creation.
77255d88-754c-42a3-954f-58fb86bf48a5
ENCALIVE_RESOURCE
Virtual machine name
aws-vm
ENCALIVE_NITRIDE
Nitride URL
http://localhost:8200
ENCALIVE_KEYSTORE
Vault URL
http://localhost:8200
ENCLAIVE_FEATURES
The path from which secrets are added to the VM for a particular user.
method:user:secret:name
In the ENCLAVE_FEATURES variable, "method" can be either "ssh-key" or "ssh-pw", "user" is the scope in which the secrets are stored, "secret" is the name under which we store the secret, and "name" is the username to which the keys are added. We need to set which method for SSH connection will be added for the user.
Once all the steps have been completed, the result of the attestation will be sent to the webhook you specified when creating the attestation. Below is an example of what is sent to the webhook. Ensure that the webhook accepts the HTTP POST method.
