Provisioning MariaDB Password on Azure DCXas_v5 VM

This tutorial guides you through provisioning a MariaDB container on a confidential buckypaper VM in Azure. The steps can be easily adapted for any cloud service provider that supports buckypaper.

Confidential computing revolutionizes workload security by assigning unique identities to workloads running in enclaves. With Nitride, this concept extends to workload identity management. Instead of traditional user authentication, a Buckypaper VM performs attestation—similar to user authentication but for workloads—to verify its authorization with Nitride, the workload identity provider. This ensures secure access to the Vault key management service. In Nitride, policies govern workload identity verification and define access privileges, enhancing security and control in confidential environments.

The Buckypaper secret engine in vHSM is enabled by default on . You can use this vHSM to generate, store, and manage cryptographic keys seamlessly. For more information see, in a vHSM if you are using your own instance.

Prerequisites

Create awith Azure DCXas_v5 VM as the cloud service provider
Installed Docker in the Buckypaper VM
Install in the Buckypaper VM
To generate a dynamic secret for MariaDB, log in to or a vHSM server with buckypaper plugin enabled and then authenticate using your credentials.
on your local computer if you are using your own instance of vHSM for attestation.

To attest and provision MariaDB password on Azure DCXas_v5 Virtual Machine:

Note: If you are using your own instance of vHSM server you need to set up the default authentication, identities, and policies using the command: vhsm nitride init

Create and Verify the attestation

Perform these steps in the Buckypaper Virtual Machine to create attestation and obtain the login token.

Create a attestation.json file with the following content as vHSM-Nitride admin or user.

{
  "name": "Azure MariaDB",
  "description": "A small Azure VM running MariaDB",
  "events": "http://localhost:8000",
  "policy": "azure-dc2asv5-raw"
}

Create a attestation workload for the provider azure-sev-snp-vtpm using: vhsm nitride attestation create @attestation.json .

The output is similar to:

Key            Value
---            -----
created        1743342924
description    A small Azure VM running MariaDB
events         http://localhost:8000
name           Azure MariaDB
namespace      n/a
nonce          n/a
policy         azure-dc2asv5-raw
updated        0
uuid           3baaa53a-3128-473c-9afa-cc7bec68abf3

Note: Make a note of the workload uuid.

Verify that attestation was successful for the provider using: vhsm nitride attestation -provider=azure-sev-snp-vtpm report <workload-uuid>

The output is similar to:

Key                       Value
---                       -----
token                     hvs.CAESIHwVECmidfgE5KgKQgutQjfTFpqEBheHxUS1uYcAZzAgGh4KHGh2cy5ZSVZWbWZtaVo5VU5iMEJxU1dFb0hUckk
token_accessor            bE3QPJX5YRP4ATOEdyx6sFNT
token_duration            768h
token_renewable           false
token_policies            ["default" "enclaive-attested"]
identity_policies         []
policies                  ["default" "enclaive-attested"]
token_meta_measurement    ffd92c5d5207afadf3b93be300060a98f9b96bd2a1300c97f1042f2b5f313b964ffc3c14645a7b706c5f6fe5ccfa51d7
token_meta_namespace      n/a
token_meta_workload       3baaa53a-3128-473c-9afa-cc7bec68abf3
created                   1743342924
description               A small Azure VM running MariaDB
events                    http://localhost:8000
name                      Azure MariaDB
namespace                 n/a
nonce                     n/a
policy                    azure-dc2asv5-raw
updated                   1743343032
uuid                      3baaa53a-3128-473c-9afa-cc7bec68abf3

Generate a dynamic secret for MariaDB

Note: Use the login token from Buckypaper VM to access and retrieve secrets from the Buckypaper secret engine.

Generate a dynamic secret : vhsm read buckypaper/data/workload/env/MARIADB_PASSWORD dynamic=true

Key         Value
---         -----
data        map[value:WHPUGFGF7DIG75CVGVCEXXNPXDGTKLONWM5DI5N4F3UA7NNXXMBA]
metadata    map[created_time:2025-03-31T10:57:38.182817117Z custom_metadata:<nil> deletion_time: destroyed:false version:1]

Note: The value shown under the data key represents the dynamically created secret. In this example, the secret is WHPUGFGF7DIG75CVGVCEXXNPXDGTKLONWM5DI5N4F3UA7NNXXMBA.

Start a MariaDB container

Start a docker container running MariaDB by passing the secret.

docker run -d --name mariadb \
    -e MARIADB_ROOT_PASSWORD=<secret> \
    mariadb:latest

Verify that the password is set.

docker exec -it mariadb mariadb -p<secret>

Example Output:

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 11.7.2-MariaDB-ubu2404 mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

You have successfully attested a Virtual Machine and generated a MariaDB password using the Buckypaper secrets engine.

PreviousPassing vHSM secrets using ConfigMaps NextRegistering a buckypaper plugin

Last updated 22 days ago

Was this helpful?

Key Value --- ----- created 1743342924 description A small Azure VM running MariaDB events http://localhost:8000 name Azure MariaDB namespace n/a nonce n/a policy azure-dc2asv5-raw updated 0 uuid 3baaa53a-3128-473c-9afa-cc7bec68abf3

Key Value --- ----- token hvs.CAESIHwVECmidfgE5KgKQgutQjfTFpqEBheHxUS1uYcAZzAgGh4KHGh2cy5ZSVZWbWZtaVo5VU5iMEJxU1dFb0hUckk token_accessor bE3QPJX5YRP4ATOEdyx6sFNT token_duration 768h token_renewable false token_policies ["default" "enclaive-attested"] identity_policies [] policies ["default" "enclaive-attested"] token_meta_measurement ffd92c5d5207afadf3b93be300060a98f9b96bd2a1300c97f1042f2b5f313b964ffc3c14645a7b706c5f6fe5ccfa51d7 token_meta_namespace n/a token_meta_workload 3baaa53a-3128-473c-9afa-cc7bec68abf3 created 1743342924 description A small Azure VM running MariaDB events http://localhost:8000 name Azure MariaDB namespace n/a nonce n/a policy azure-dc2asv5-raw updated 1743343032 uuid 3baaa53a-3128-473c-9afa-cc7bec68abf3

Key Value --- ----- data map[value:WHPUGFGF7DIG75CVGVCEXXNPXDGTKLONWM5DI5N4F3UA7NNXXMBA] metadata map[created_time:2025-03-31T10:57:38.182817117Z custom_metadata:<nil> deletion_time: destroyed:false version:1]

Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 3 Server version: 11.7.2-MariaDB-ubu2404 mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>