In this series of tutorials, we will teach you how to master Confidential Computing through a playful exercise: we will build a Key Management System (KMS) inside a secure enclave.
We will do it using:
A relatively good knowledge in C/C++ and cryptography is recommended. We will be adding some reminders to make it more comfortable for you to read, but it might be a bit difficult to intake low-level coding langage, cryptography and confidential computing all at once.
A KMS is a piece of software that performs cryptographic operations (such as encryption and managing private keys) and is usually embedded inside a secure hardware component or hardware security modules (also refered to as HSMs).
Because Trusted Execution Environements, or TEEs, are a secure environment, we can implement a working KMS inside an enclave. A remote client can benefit from having a remote key manager, without having to trust their keys directly.
It is common for companies to store sensitive data and need to protect it.
For instance, let's take a running web application: a particular attention must be given to passwords and credit card details when storing them. Usually, these issues are resolved by encryption.
For the encryption to be secure, the key to decrypt must be stored securely, and that key must be encrypted by another key to protect it.
This key chain can quickly become quite complicated, especially in company setting. But at the root of the concept, there is always going to be a master key that we must securely store, and it cannot be done by simply encrypting it.
This where a KMS comes in handy. One of its features is to manage keys: it will import them, manage the users and the roles, etc. It will do so in a secure and protected way, completely isolated from the services that use it. That is because KMSs can perform multiple cryptographic operations. They can store private keys and certificates, perform encryption and key rotation...
In our mini-KMS project, we will restrict the operations to make it easier for you to implement:
To build them, we will be using the open-source C cryptographic library Mbedtls. It is both simple to use and already written for OpenEnclave. It's also small and implements well in embedded systems. Mbedtls does lack some features, but its advantages made up for it for the purposes of this tutorial.
Ready to practice? Let’s dive in and install everything we need to get started!