Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page
  • Create and Verify the attestation
  • Generate a dynamic secret for MariaDB
  • Start a MariaDB container

Was this helpful?

  1. Tutorials

Provisioning MariaDB Password on Azure DCXas_v5 VM

This tutorial guides you through provisioning a MariaDB container on a confidential buckypaper VM in Azure. The steps can be easily adapted for any cloud service provider that supports buckypaper.

PreviousPassing vHSM secrets using ConfigMapsNextRegistering a buckypaper plugin

Last updated 1 month ago

Was this helpful?

Confidential computing revolutionizes workload security by assigning unique identities to workloads running in enclaves. With Nitride, this concept extends to workload identity management. Instead of traditional user authentication, a Buckypaper VM performs attestation—similar to user authentication but for workloads—to verify its authorization with Nitride, the workload identity provider. This ensures secure access to the Vault key management service. In Nitride, policies govern workload identity verification and define access privileges, enhancing security and control in confidential environments.

The Buckypaper secret engine in vHSM is enabled by default on . You can use this vHSM to generate, store, and manage cryptographic keys seamlessly. For more information see, in a vHSM if you are using your own instance.

Prerequisites

  • Create awith Azure DCXas_v5 VM as the cloud service provider

  • Installed Docker in the Buckypaper VM

  • Install in the Buckypaper VM

  • To generate a dynamic secret for MariaDB, log in to or a vHSM server with buckypaper plugin enabled and then authenticate using your credentials.

  • on your local computer if you are using your own instance of vHSM for attestation.

To attest and provision MariaDB password on Azure DCXas_v5 Virtual Machine:

Note: If you are using your own instance of vHSM server you need to set up the default authentication, identities, and policies using the command: vhsm nitride init

Create and Verify the attestation

Perform these steps in the Buckypaper Virtual Machine to create attestation and obtain the login token.

  1. Create a attestation.json file with the following content as vHSM-Nitride admin or user.

{
  "name": "Azure MariaDB",
  "description": "A small Azure VM running MariaDB",
  "events": "http://localhost:8000",
  "policy": "azure-dc2asv5-raw"
}
  1. Create a attestation workload for the provider azure-sev-snp-vtpm using: vhsm nitride attestation create @attestation.json .

The output is similar to:

Key            Value
---            -----
created        1743342924
description    A small Azure VM running MariaDB
events         http://localhost:8000
name           Azure MariaDB
namespace      n/a
nonce          n/a
policy         azure-dc2asv5-raw
updated        0
uuid           3baaa53a-3128-473c-9afa-cc7bec68abf3

Note: Make a note of the workload uuid.

  1. Verify that attestation was successful for the provider using: vhsm nitride attestation -provider=azure-sev-snp-vtpm report <workload-uuid>

The output is similar to:

Key                       Value
---                       -----
token                     hvs.CAESIHwVECmidfgE5KgKQgutQjfTFpqEBheHxUS1uYcAZzAgGh4KHGh2cy5ZSVZWbWZtaVo5VU5iMEJxU1dFb0hUckk
token_accessor            bE3QPJX5YRP4ATOEdyx6sFNT
token_duration            768h
token_renewable           false
token_policies            ["default" "enclaive-attested"]
identity_policies         []
policies                  ["default" "enclaive-attested"]
token_meta_measurement    ffd92c5d5207afadf3b93be300060a98f9b96bd2a1300c97f1042f2b5f313b964ffc3c14645a7b706c5f6fe5ccfa51d7
token_meta_namespace      n/a
token_meta_workload       3baaa53a-3128-473c-9afa-cc7bec68abf3
created                   1743342924
description               A small Azure VM running MariaDB
events                    http://localhost:8000
name                      Azure MariaDB
namespace                 n/a
nonce                     n/a
policy                    azure-dc2asv5-raw
updated                   1743343032
uuid                      3baaa53a-3128-473c-9afa-cc7bec68abf3

Generate a dynamic secret for MariaDB

Note: Use the login token from Buckypaper VM to access and retrieve secrets from the Buckypaper secret engine.

  1. Generate a dynamic secret : vhsm read buckypaper/data/workload/env/MARIADB_PASSWORD dynamic=true

Key         Value
---         -----
data        map[value:WHPUGFGF7DIG75CVGVCEXXNPXDGTKLONWM5DI5N4F3UA7NNXXMBA]
metadata    map[created_time:2025-03-31T10:57:38.182817117Z custom_metadata:<nil> deletion_time: destroyed:false version:1]

Note: The value shown under the data key represents the dynamically created secret. In this example, the secret is WHPUGFGF7DIG75CVGVCEXXNPXDGTKLONWM5DI5N4F3UA7NNXXMBA.

Start a MariaDB container

  1. Start a docker container running MariaDB by passing the secret.

docker run -d --name mariadb \
    -e MARIADB_ROOT_PASSWORD=<secret> \
    mariadb:latest
  1. Verify that the password is set.

docker exec -it mariadb mariadb -p<secret>

Example Output:

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 11.7.2-MariaDB-ubu2404 mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

You have successfully attested a Virtual Machine and generated a MariaDB password using the Buckypaper secrets engine.

Perform these steps in a terminal of the local computer where you have set the VAULT_ADDR=''.

https://vault.enclaive.cloud/
vault.enclaive.cloud
Registering a buckypaper plugin
Buckypaper VM
vault.enclaive.cloud
Create and Verify the attestation
Generate a dynamic secret
Start a MariaDB container
vHSM CLl
Install vHSM