Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Challenge
  • Solution
  • Perks

Was this helpful?

  1. Documentation

Use Case: Attested Secret Provisioning in the Cloud

PreviousWhat is Virtual HSM?NextSetup

Last updated 8 months ago

Was this helpful?

A prime application scenario for vHSM involves secret key provisioning. In various instances, tasks executed within an enclave require access to confidential information, such as cryptographic keys, environment variables, or configuration files. Consider scenarios like a VM requiring disk encryption or SSH host keys, a Web server container in a cluster necessitating TLS server certificate keys, or a database needing access to the admin password.

Challenge

In essence, an enclave is a fully encrypted process residing entirely in memory. Similar to any other process, it is loaded from a binary file stored on persistent storage, which is managed by the Cloud Service Provider (CSP). In the security model of confidential computing, the CSP is regarded as untrusted, so storing secrets on disk is not feasible. Doing so could potentially expose the secrets to reverse engineering by the CSP, thereby compromising the security of the enclave.

A suggestion could be to encrypt the persistent storage; however, this introduces additional inquiries: where should the disk encryption key be securely stored, and how should it be adequately provisioned?

Solution

Here’s how the integration of Nitride into the Key Management Service enables secret provisioning:

  1. Attestation Shim (enclaivelet): The attestation shim operates on behalf of the confidential execution environment. It attests to the confidentiality and integrity of the environment.

  2. Workload Attestation Certificate Validation:

    Upon validating the workload attestation certificate, Nitride issues an authentication token. This token allows authorized access to secrets stored in the Vault.

  3. Authentication Flow: enclaivelet forwards the authentication token to the workload. The workload can then authenticate itself towards the Vault. It can request secrets, including keys, bearer tokens, environment variables, and configuration files.

  4. Secure Secret Provisioning:

    Once authenticated, Vault securely provisions the requested secrets into the enclave. This communication occurs via a secure protocol.

Perks

  • Throughout the lifecycle secrets are encrypted. Organizations can ensure that their cryptographic keys are managed according to industry best practices. This minimizes the risk of data breaches and ensures consistent key management.

  • Nitride Identity Provider leverages robust security controls. These controls protect against attacks and unauthorized access to sensitive keys.

  • Nitride enhances compliance by providing secure and scalable key lifecycle management on-premises, in the private, public, hybrid and cross cloud setting.

Key management services, such as , , or , play a crucial role in securely storing secrets while managing access to cryptographic keys in a centralized manner. By integrating a Nitride identity provider, we can enhance the capabilities of secret management systems. Nitride not only grants access to secrets for users but also extends this privilege to certified workloads.

AWS KMS
Microsoft Azure Key Vault
Google Cloud Key Vault
enclaive Cross Cloud Key Vault
buckypaper
dyneemes
Drawing