Use Case

A prime application scenario for vHSM involves secret key provisioning. In various instances, tasks executed within an enclave require access to confidential information, such as cryptographic keys, environment variables, or configuration files. Consider scenarios like a buckypaper VM requiring disk encryption or SSH host keys, a Web server container in a dyneemes cluster necessitating TLS server certificate keys, or a database needing access to the admin password.

Challenge

In essence, an enclave is a fully encrypted process residing entirely in memory. Similar to any other process, it is loaded from a binary file stored on persistent storage, which is managed by the Cloud Service Provider (CSP). In the security model of confidential computing, the CSP is regarded as untrusted, so storing secrets on disk is not feasible. Doing so could potentially expose the secrets to reverse engineering by the CSP, thereby compromising the security of the enclave.

A suggestion could be to encrypt the persistent storage; however, this introduces additional inquiries: where should the disk encryption key be securely stored, and how should it be adequately provisioned?

Solution

Key management services play a crucial role in securely storing secrets while managing access to cryptographic keys in a centralized manner. Leveraging the Nitride Workload Identity Management, we enhance the capabilities of secret management. In contrast to IAM systems, Nitride not only grants access to secrets for users. For the very first time, Nitride extends the IAM concept to certified, attestable workloads.

Here’s how the integration of Nitride into the vHSM Key Management Service enables secret provisioning:

1. Attestation: The attestation shim (enclaivelet) operates on behalf of the confidential execution environment and interacts with Nitride. The goal is to attest to the confidentiality and integrity of the environment.

2. Vault Auth Token Retrieval: Upon validating the attestation, the enclaivelet retrieves a JWT authentication token. This token enables workloads to authorize access to Vault secrets.

3. Vault Auth Token Injection: The enclaivelet injects the JWT authentication token into the workload. This way, a workload can authenticate towards the Vault,

4. Secure Secret Request: The workload requests secrets from the Vault, such as cryptographic keys, bearer tokens, system variables, configuration files, or trustlets.

5. Secure Secret Provisioning: Once Vault verifies the JWT auth token and access policies, it securely provisions the authorized secrets into the enclave. This communication occurs via a TLS-secured communication.

Benefits

• Throughout the lifecycle secrets are encrypted. Users can ensure that their cryptographic keys are managed according to industry best practices. This minimizes the risk of data breaches and ensures consistent key management.

• Nitride Identity Provider leverages robust security controls. These controls protect against attacks and unauthorized access to sensitive keys.

• Nitride enhances compliance by providing secure and scalable key lifecycle management on-premises, in the private, public, hybrid and cross cloud setting.