Provisioning MariaDB Password on Azure DCXas_v5 VM

This tutorial guides you through provisioning a MariaDB container on a confidential buckypaper VM in Azure. The steps can be easily adapted for any cloud service provider that supports buckypaper.

Confidential computing revolutionizes workload security by assigning unique identities to workloads running in enclaves. With Nitride, this concept extends to workload identity management. Instead of traditional user authentication, a Buckypaper VM performs attestation—similar to user authentication but for workloads—to verify its authorization with Nitride, the workload identity provider. This ensures secure access to the Vault key management service. In Nitride, policies govern workload identity verification and define access privileges, enhancing security and control in confidential environments.

The Buckypaper secret engine in vHSM is enabled by default on vault.enclaive.cloud. You can use this vHSM to generate, store, and manage cryptographic keys seamlessly. For more information see, Registering a buckypaper plugin in a vHSM if you are using your own instance.

Prerequisites

  • Create a Buckypaper VM with Azure DCXas_v5 VM as the cloud service provider

  • Installed Docker in the Buckypaper VM

  • Install vHSM CLl in the Buckypaper VM

  • To generate a dynamic secret for MariaDB, log in to vault.enclaive.cloud or a vHSM server with buckypaper plugin enabled and then authenticate using your credentials.

  • Install vHSM on your local computer if you are using your own instance of vHSM for attestation.

To attest and provision MariaDB password on Azure DCXas_v5 Virtual Machine:

Note: If you are using your own instance of vHSM server you need to set up the default authentication, identities, and policies using the command: vhsm nitride init

Create and Verify the attestation

Perform these steps in the Buckypaper Virtual Machine to create attestation and obtain the login token.

  1. Create a attestation.json file with the following content as vHSM-Nitride admin or user.

{
  "name": "Azure MariaDB",
  "description": "A small Azure VM running MariaDB",
  "events": "http://localhost:8000",
  "policy": "azure-dc2asv5-raw"
}
  1. Create a attestation workload for the provider azure-sev-snp-vtpm using: vhsm nitride attestation create @attestation.json .

The output is similar to:

Key            Value
---            -----
created        1743342924
description    A small Azure VM running MariaDB
events         http://localhost:8000
name           Azure MariaDB
namespace      n/a
nonce          n/a
policy         azure-dc2asv5-raw
updated        0
uuid           3baaa53a-3128-473c-9afa-cc7bec68abf3

Note: Make a note of the workload uuid.

  1. Verify that attestation was successful for the provider using: vhsm nitride attestation -provider=azure-sev-snp-vtpm report <workload-uuid>

The output is similar to:

Key                       Value
---                       -----
token                     hvs.CAESIHwVECmidfgE5KgKQgutQjfTFpqEBheHxUS1uYcAZzAgGh4KHGh2cy5ZSVZWbWZtaVo5VU5iMEJxU1dFb0hUckk
token_accessor            bE3QPJX5YRP4ATOEdyx6sFNT
token_duration            768h
token_renewable           false
token_policies            ["default" "enclaive-attested"]
identity_policies         []
policies                  ["default" "enclaive-attested"]
token_meta_measurement    ffd92c5d5207afadf3b93be300060a98f9b96bd2a1300c97f1042f2b5f313b964ffc3c14645a7b706c5f6fe5ccfa51d7
token_meta_namespace      n/a
token_meta_workload       3baaa53a-3128-473c-9afa-cc7bec68abf3
created                   1743342924
description               A small Azure VM running MariaDB
events                    http://localhost:8000
name                      Azure MariaDB
namespace                 n/a
nonce                     n/a
policy                    azure-dc2asv5-raw
updated                   1743343032
uuid                      3baaa53a-3128-473c-9afa-cc7bec68abf3

Generate a dynamic secret for MariaDB

Note: Use the login token from Buckypaper VM to access and retrieve secrets from the Buckypaper secret engine.

Perform these steps in a terminal of the local computer where you have set the VAULT_ADDR='https://vault.enclaive.cloud/'.

  1. Generate a dynamic secret : vhsm read buckypaper/data/workload/env/MARIADB_PASSWORD dynamic=true

Key         Value
---         -----
data        map[value:WHPUGFGF7DIG75CVGVCEXXNPXDGTKLONWM5DI5N4F3UA7NNXXMBA]
metadata    map[created_time:2025-03-31T10:57:38.182817117Z custom_metadata:<nil> deletion_time: destroyed:false version:1]

Note: The value shown under the data key represents the dynamically created secret. In this example, the secret is WHPUGFGF7DIG75CVGVCEXXNPXDGTKLONWM5DI5N4F3UA7NNXXMBA.

Start a MariaDB container

  1. Start a docker container running MariaDB by passing the secret.

docker run -d --name mariadb \
    -e MARIADB_ROOT_PASSWORD=<secret> \
    mariadb:latest
  1. Verify that the password is set.

docker exec -it mariadb mariadb -p<secret>

Example Output:

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 11.7.2-MariaDB-ubu2404 mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

You have successfully attested a Virtual Machine and generated a MariaDB password using the Buckypaper secrets engine.

Last updated

Was this helpful?