You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Dec 16, 2024. It is now read-only.
All of the KMS documentation in AWS seems just like a pretty big distraction. TLS with mutual authentication should be sufficient to encrypt private payloads into the enclave. The key point here is that 1) no transactions/bundles are sent before verifying that the communication partner is the enclave itself (can be done by requesting the attestation document), 2) verifying that the correct code is run (can be done by verifying the attestation document and comparing PCR hashes which ensures that the expected docker image is run).
ToDo in the dumme nitro enclave repo to enable this:
Embed TLS into the gRPC exchange
Ensure that the communication partner is the actual enclave by requesting and verifying the attestation document with the embedded public key, and leveraging a fresh nonce
All of the KMS documentation in AWS seems just like a pretty big distraction. TLS with mutual authentication should be sufficient to encrypt private payloads into the enclave. The key point here is that 1) no transactions/bundles are sent before verifying that the communication partner is the enclave itself (can be done by requesting the attestation document), 2) verifying that the correct code is run (can be done by verifying the attestation document and comparing PCR hashes which ensures that the expected docker image is run).
ToDo in the dumme nitro enclave repo to enable this: