Easy creation of AWS enclaves in Java.
The project requires vsockj binary file to work, available only on Linux OS, which means building must be done thought Docker image if not working on Linux.
When developing and running locally, ensure latest jars are in your local mvn repo.
docker build -t maven-gcc - < Dockerfile-build
docker run -w /app -v "$HOME/.m2":/app/.m2 -v "$PWD":/app -ti --rm -u `id -u` \
maven-gcc ./mvnw -Dmaven.repo.local=/app/.m2/repository compile installor
./mvnw compile installThe setup right now supports one case - Enclave decryption. An overview diagram is shown below:
To run the example Host + enclave setup and verify communication, run the following command (ensure default credentials allow you to create new EC2 instances, create IAM roles and KMS key):
./mvnw -f awsenclave-setup/pom.xml compile exec:execThe command should:
-
setup necessary resources (IAM role, KMS key, EC2 instance)
-
As a data owner, encrypt a text
-
As an administrator, run enclave, KMS proxy and host application
-
Make host invoke a request to a server in enclave with the ciphertext
-
Make enclave decrypt the ciphertext and return decrypted plaintext.
-
Display the decrypted text and remove the test EC2 instance
Enclave server communicates with KMS through proxy. Communication enclave<->KMS uses HTTPS and is not accessible to host.
The example assumes no kms:RecipientAttestation:ImageSha384 is passed nor verified by KMS.
For testing of the sample deployment, it's good to comment out instance termination in SetupMain.java and building the code locally with commands from deploy/host/dev_setup.sh.
awsenclave-setup is intended only to perform a showcase of Nitro Enclaves and awsenclave and vsockj libraries. It's not in the scope of the project to provide infrastructure recommendations.
To build (preferable run from host or other linux):
./mvnw -f awsenclave-example/awsenclave-example-enclave/pom.xml clean nar:nar-unpack package jib:dockerBuildIf not working on Linux:
docker run -w /app -v "$HOME/.m2":/app/.m2 -v "$PWD":/app -ti --rm -u `id -u` \
amazoncorretto:8u275 ./mvnw -Dmaven.repo.local=/app/.m2/repository -f awsenclave-example/awsenclave-example-enclave/pom.xml \
clean nar:nar-unpack package
./mvnw -f awsenclave-example/awsenclave-example-enclave/pom.xml compile jib:dockerBuildTo test locally:
docker run awsenclave-example-enclave:latestor
./mvnw -f awsenclave-example/awsenclave-example-enclave/pom.xml compile exec:execTo show logs in a running enclave:
nitro-cli console --enclave-id [enclave-id]To test locally:
./mvnw -f awsenclave-example/awsenclave-example-host/pom.xml compile exec:exec -Denclave.cid=[CID] -Dencrypted.text=[base 64 encrypted text] -Dkey.id=[key id]docker run -w /app -v "$HOME/.m2":/app/.m2 -v "$PWD":/app -ti --rm -u `id -u` \
amazoncorretto:8u275 ./mvnw -Dmaven.repo.local=/app/.m2/repository -f awsenclave-example/awsenclave-example-host/pom.xml \
compile exec:exec -Denclave.cid=23Sample deployment Docker images can be found in deploy directory.
- The project requires vsockj binary file to work. To be able to review the resulting file, it's recommended to build the binary library, from vsockj-native.
- The AWS Enclaves use Docker to create an image used to run an enclave. That can be problematic on Windows machines as developers can use Docker Engine to break Windows security.