Nitride
HomeDocumentationTutorials
  • Nitride
  • Documentation
    • What is Nitride?
    • Use Cases
    • Setup
      • Install Nitride
      • Configure
    • Get Started
      • Attesting a MariaDB database with Cloud-Init
    • Concepts
      • Attestation
        • AMD SEV PKI
        • Intel TDX PKI
      • enclaivelet
    • Supported Technologies
  • Tutorials
    • Create identities and policies
    • Attesting a buckypaper VM
  • Developers
    • API
      • Overview
      • Identities
      • Policies
      • Totp
      • Attestations
      • Logs
      • Config
      • Annotations
  • CLI
    • Enable Auth
    • Register Identities
    • Create Policy
    • Create Attestation
    • Enable Namespacing
  • Resources
    • Blog
    • GitHub
    • Youtube
    • CCx101
Powered by GitBook
On this page
  • Create a template
  • Create a namespace
  • Create dkv-v2 engines
  • Generate SSH secrets
  • Register new workload
  • Create a VM

Was this helpful?

  1. Tutorials

OUTDATED Provisioning SSH keys

Last updated 1 year ago

Was this helpful?

In this tutorial, we'll generate SSH secrets that we'll use to connect to our Azure VM via SSH.

Create a template

The first step will be to create a template for VM. You can refer to the tutorial for a better understanding of how to do this.

Create a namespace

The second step will be to create a namespace. This is a mandatory requirement for creating attestation. You can learn how to create and use namespaces in the .

Create dkv-v2 engines

The third step is to create two engines. The first is called "vm-auth", where we'll store the SSH secrets. The second engine is called "buckypaper", where we will store the description key.

POST http://localhost:8200/v1/sys/mounts/vm-auth

Headers

Name
Value

X-Vault-Token

X-Vault-Namespace

education

Body

Name
Type
Value

type

string

dkv-v2

Response

204 No Content

POST http://localhost:8200/v1/sys/mounts/buckypaper

Headers

Name
Value

X-Vault-Token

X-Vault-Namespace

education

Body

Name
Type
Value

type

string

dkv-v2

Response

204 No Content

Generate SSH secrets

At this stage, we need to generate SSH secrets. SSH KEY - generation of private and public key. SSH PW - password generation.

GET http://localhost:8200/v1/vm-auth/data/:user/ssh-key/:name

We have generated the secrets for the azure user, which will be stored under the name "azureuser".

Params

Name
Type
Value

user

string

azure

name

string

azureuser

Headers

Name
Value

X-Vault-Token

X-Vault-Namespace

education

Response

{
    "request_id": "729ee29d-ddf5-58a7-ffe5-8bd61d2b9b46",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
        "data": {
            "private": "LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0egpjMmd0WldReU5UVXhPUUFBQUNDd0pDTDdaZmlkanpxUW9EN1BmcXYwbHBpWTFJbTJ3akphbVpKdEFlZUQxUUFBCkFJaW1NYnN4cGpHN01RQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDQ3dKQ0w3WmZpZGp6cVFvRDdQZnF2MGxwaVkKMUltMndqSmFtWkp0QWVlRDFRQUFBRUN4S3dRNTNFWGN0UGdlUjA1WnRWNmNMcStRSDZBclYrNmw4TmsvMFZhYwpTYkFrSXZ0bCtKMlBPcENnUHM5K3EvU1dtSmpVaWJiQ01scVprbTBCNTRQVkFBQUFBQUVDQXdRRgotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K",
            "public": "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUxBa0l2dGwrSjJQT3BDZ1BzOStxL1NXbUpqVWliYkNNbHFaa20wQjU0UFYK"
        },
        "metadata": {
            "created_time": "2024-04-22T07:40:18.023159651Z",
            "custom_metadata": null,
            "deletion_time": "",
            "destroyed": false,
            "version": 1
        }
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

GET http://localhost:8200/v1/vm-auth/data/:user/ssh-pw/:name

We have generated the secrets for the azure user, which will be stored under the name "azureuser".

Params

Name
Type
Value

user

string

azure

name

string

azureuser

Headers

Name
Value

X-Vault-Token

X-Vault-Namespace

education

Response

{
    "request_id": "0c47dfbe-b2b7-a764-bd6c-ef8007ed1827",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
        "data": {
            "value": "H36VDP5D335PJIXNMHSBULJOSJUPZIHVJAIRLFJTTZAAWU3FWTJQ"
        },
        "metadata": {
            "created_time": "2024-04-22T07:47:08.024377569Z",
            "custom_metadata": null,
            "deletion_time": "",
            "destroyed": false,
            "version": 1
        }
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

GET http://localhost:8200/v1/vm-auth/data/:user/ssh-key/:name

We have generated the secrets for the azure user, which will be stored under the name "azureuser".

Params

Name
Type
Value

user

string

aws

name

string

ec2-user

Headers

Name
Value

X-Vault-Token

X-Vault-Namespace

education

Response

{
    "request_id": "729ee29d-ddf5-58a7-ffe5-8bd61d2b9b46",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
        "data": {
            "private": "LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0egpjMmd0WldReU5UVXhPUUFBQUNDd0pDTDdaZmlkanpxUW9EN1BmcXYwbHBpWTFJbTJ3akphbVpKdEFlZUQxUUFBCkFJaW1NYnN4cGpHN01RQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDQ3dKQ0w3WmZpZGp6cVFvRDdQZnF2MGxwaVkKMUltMndqSmFtWkp0QWVlRDFRQUFBRUN4S3dRNTNFWGN0UGdlUjA1WnRWNmNMcStRSDZBclYrNmw4TmsvMFZhYwpTYkFrSXZ0bCtKMlBPcENnUHM5K3EvU1dtSmpVaWJiQ01scVprbTBCNTRQVkFBQUFBQUVDQXdRRgotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K",
            "public": "c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUxBa0l2dGwrSjJQT3BDZ1BzOStxL1NXbUpqVWliYkNNbHFaa20wQjU0UFYK"
        },
        "metadata": {
            "created_time": "2024-04-22T07:40:18.023159651Z",
            "custom_metadata": null,
            "deletion_time": "",
            "destroyed": false,
            "version": 1
        }
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

GET http://localhost:8200/v1/vm-auth/data/:user/ssh-pw/:name

We have generated the secrets for the azure user, which will be stored under the name "azureuser".

Params

Name
Type
Value

user

string

aws

name

string

ec2-user

Headers

Name
Value

X-Vault-Token

X-Vault-Namespace

education

Response

{
    "request_id": "0c47dfbe-b2b7-a764-bd6c-ef8007ed1827",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
        "data": {
            "value": "H36VDP5D335PJIXNMHSBULJOSJUPZIHVJAIRLFJTTZAAWU3FWTJQ"
        },
        "metadata": {
            "created_time": "2024-04-22T07:47:08.024377569Z",
            "custom_metadata": null,
            "deletion_time": "",
            "destroyed": false,
            "version": 1
        }
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

Register new workload

POST http://localhost:8200/v1/auth/ratls/attestation/create

Body

Name
Type
Description

template

string

f05d8808-547a-4e9a-9843-07c3f55b7e67

namespace

string

education

webhook

string

http://localhost:3000/webhook

Headers

Name
Value

X-Vault-Token

Response

{
    "request_id": "0bde6eee-f55b-e9a5-e1ba-7a382c6a0d50",
    "lease_id": "",
    "renewable": false,
    "lease_duration": 0,
    "data": {
        "instance": "77255d88-754c-42a3-954f-58fb86bf48a5"
    },
    "wrap_info": null,
    "warnings": null,
    "auth": null
}

Create a VM

At this stage, we will create an Azure VM from the DC2as_v5 family with the Ubuntu 20_04-lts-cvm operating system version, as it supports confidential VMs.

When creating the VM, you should also include cloud-init. The configuration for cloud-init is shown below.

ENV
Description
Value

ENCLAIVE_PROTOCOL

sev-snp

ENCLAIVE_SOURCE

The provider name that we specified during the measurement creation.

azure

ENCALIVE_INSTANCE

The "instance" field that we obtained during the attestation creation.

77255d88-754c-42a3-954f-58fb86bf48a5

ENCALIVE_RESOURCE

Virtual machine name

azure-vm

ENCALIVE_NITRIDE

Nitride URL

http://localhost:8200

ENCALIVE_KEYSTORE

Vault URL

http://localhost:8200

ENCLAIVE_FEATURES

The path from which secrets are added to the VM for a particular user.

method:user:secret:name

In the ENCLAVE_FEATURES variable, "method" can be either "ssh-key" or "ssh-pw", "user" is the scope in which the secrets are stored, "secret" is the name under which we store the secret, and "name" is the username to which the keys are added. We need to set which method for SSH connection will be added for the user.

ENCLAIVE_FEATURES=ssh-key:azure:azureuser:root
ENCLAIVE_FEATURES=ssh-pw:azure:azureuser:root
#cloud-config
runcmd:
  - |
    set -eu

    export ENCLAIVE_PROTOCOL=sev-snp
    export ENCLAIVE_SOURCE=azure
    export ENCLAIVE_INSTANCE=77255d88-754c-42a3-954f-58fb86bf48a5
    export ENCLAIVE_RESOURCE=azure-vm
    export ENCLAIVE_NITRIDE=http://localhost:8200
    export ENCLAIVE_KEYSTORE=http://localhost:8200
    export ENCLAIVE_FEATURES=ssh-pw:azure:azureuser:root
    
    if [ -x "$(command -v curl)" ];then
      COMMAND="wget -q -O"
    elif [ -v "$(command -v wget)" ];then
      COMMAND="curl -s -o"
    else
      echo "Not installed: curl|wget"
      exit 1
    fi
    
    $COMMAND client "$ENCLAIVE_NITRIDE/static/enclaivelet"
    $COMMAND provision "$ENCLAIVE_NITRIDE/static/provision"
    
    chmod +x client provision
    ./client

    echo 'PermitRootLogin yes' | sudo tee -a /etc/ssh/sshd_config
    sudo systemctl restart sshd

At this stage, we will create an AWS EC2 from the M6a family with the Ubuntu 23.04 operating system version, as it supports confidential VMs.

When creating the VM, you should also include cloud-init. The configuration for cloud-init is shown below.

ENV
Description
Value

ENCLAIVE_PROTOCOL

sev-snp

ENCLAIVE_SOURCE

The provider name that we specified during the measurement creation.

aws

ENCALIVE_INSTANCE

The "instance" field that we obtained during the attestation creation.

77255d88-754c-42a3-954f-58fb86bf48a5

ENCALIVE_RESOURCE

Virtual machine name

aws-vm

ENCALIVE_NITRIDE

Nitride URL

http://localhost:8200

ENCALIVE_KEYSTORE

Vault URL

http://localhost:8200

ENCLAIVE_FEATURES

The path from which secrets are added to the VM for a particular user.

method:user:secret:name

In the ENCLAVE_FEATURES variable, "method" can be either "ssh-key" or "ssh-pw", "user" is the scope in which the secrets are stored, "secret" is the name under which we store the secret, and "name" is the username to which the keys are added. We need to set which method for SSH connection will be added for the user.

ENCLAIVE_FEATURES=ssh-key:aws:ec2-user:root
ENCLAIVE_FEATURES=ssh-pw:aws:ec2-user:root
#cloud-config
runcmd:
  - |
    set -eu

    export ENCLAIVE_PROTOCOL=sev-snp
    export ENCLAIVE_SOURCE=aws
    export ENCLAIVE_INSTANCE=77255d88-754c-42a3-954f-58fb86bf48a5
    export ENCLAIVE_RESOURCE=aws-vm
    export ENCLAIVE_NITRIDE=http://localhost:8200
    export ENCLAIVE_KEYSTORE=http://localhost:8200
    export ENCLAIVE_FEATURES=ssh-pw:aws:ec2-user:root
    
    sudo apt-get update -y
    sudo apt-get install -y linux-modules-extra-$(uname -r)
    sudo modprobe sev-guest
    
    if [ -x "$(command -v curl)" ];then
      COMMAND="wget -q -O"
    elif [ -v "$(command -v wget)" ];then
      COMMAND="curl -s -o"
    else
      echo "Not installed: curl|wget"
      exit 1
    fi
    
    $COMMAND client "$ENCLAIVE_NITRIDE/static/enclaivelet"
    $COMMAND provision "$ENCLAIVE_NITRIDE/static/provision"
    
    chmod +x client provision
    ./client

    echo 'PermitRootLogin yes' | sudo tee -a /etc/ssh/sshd_config
    sudo systemctl restart sshd

Once all the steps have been completed, the result of the attestation will be sent to the webhook you specified when creating the attestation. Below is an example of what is sent to the webhook. Ensure that the webhook accepts the HTTP POST method.

{
  "Success": true,
  "Message": "success",
  "Instance": "77255d88-754c-42a3-954f-58fb86bf48a5",
  "Resource": "name",
  "Quote": "eyJWZXJzaWlE9PSJ9fQ=="
}

After receiving the attestation result via webhook, we can connect to the VM using the secrets we created earlier.

ssh -i <PATH TO SSH KEY> root@<IP ADDRESS>
ssh root@<IP ADDRESS>

For more detailed information on creating attestation, you can refer to the .

"Create a Buckypaper VMs template"
documentation
documentation
<token>
<token>
<token>
<token>
<token>
<token>
<token>