0

I am working on a project where the data that comes from the customer through a REST API should be encrypted before sending it to the database. To do that, we need to use AWS Nitro Enclave to do the encryption. So Nitro Enclave will receive the data from the parent EC2, talk to KMS to retrieve the encryption key, encrypt the data and send it back to EC2, then EC2 will send it to the database.

The problem is that the data now is exposed in plain text to any one who can access to the EC2 which defeats the whole purpose of securing the data. My question is: Is there anyway that the data will be intercepted by the Enclave itself, in other words, can the TLS terminate in the Enclave? I know that the Enclave does not have any networking capability but I am not sure now how this Enclave solves the issue of securing the personally identifiable information.

Any clarification on this point is much appreciated.

Many thanks! Zak

zakzak
  • 3
  • 1

2 Answers2

0

TLS terminate in the Enclave?

Sure, you could use vsock-proxy (part of the Nitro Enclaves CLI installation) to pass the traffic (not terminated) directly to the Nitro Enclave, see https://nitro-enclaves.workshop.aws/en/my-first-enclave/secure-local-channel.html

gusto2
  • 11,210
  • 2
  • 17
  • 36
  • Excellent .. Many thanks @gusto2. I'll go through this documentation. – zakzak Dec 22 '21 at 16:46
  • Question please .. Anyone who has access to the EC2 parent instance, will be able to see the data coming from the client side in plain text, because this is where the TLS connection terminates, correct? – zakzak Dec 22 '21 at 16:50
  • @zakzak depends... You said you want to process and encrypt data in the enclave instance. In that case data going to the "client app" are encrypted, anonymized or tokenized. The enclave instance adds security, but as well complexity and price. Define you thread model and be aware of risk. E. g. do you really need the enclave? Where do you store/manage the ssl private key? Is the complexity worth the risk? (maybe yes) and `access the plaintext` it's not so easy, one needs to be root to tcpdump the traffic. so there are other options to secure an instance – gusto2 Dec 22 '21 at 18:54
  • Excellent point. What I meant is that I need to get the data from the client and get it encrypted using an encrypted key generated within the Enclave, and then send the encrypted data to the backend. The idea is that nobody (even the admin or the root of the parent instance) should be able to see the data in plain text. I know that this is possible because EverVault is doing that but not sure how this is possible. Thank you again for your help and appreciate your feedback on this. – zakzak Dec 22 '21 at 20:25
0

As part of the attestation process you should provide a public key generated inside the enclave [1]. So if your client application on your customer side verifies the attestation of the enclave to ensure it is talking to the right code, it will also have this public key that can be used to agree on a symmetric encryption key. This way you can encrypt your data at source, send it encrypted to the enclave. Then your enclave may decrypt it and re-encrypt it with the key from KMS and send to the database via the parent instance.

[1] https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/docs/attestation_process.md

FAP
  • 21
  • 3