Attestation and Secret Provision Service


This solution provides a secret provision service following RA-TLS based remote attestation through gRPC. Secrets are stored in KMS that is hosted on tenant side beforehand and secrets distribution is managed by Policy Manager according to pre-defined policy. Once the tenant verifies the quote from CSP SGX Enclave successfully, KMS Agent retrieves secrets from KMS and tenant sends them to the remote CSP SGX Enclave through an established secure gRPC channel.

Remote Attestation with TLS (RA-TLS) process of ASPS:

  1. The ASPS client sends the request of key and X509 certificate embedded in sgx quote to the ASPS server vis TLS channel of gRPC.

  2. The ASPS server verifies sgx quote recived from the ASPS client.

  3. The ASPS server retrieves secrets from KMS according to pre-defined policy.

  4. The ASPS server sends secrets to the ASPS client.

gRPC-RA-TLS is used in this solution to establish a secure gRPC channel. Tenant need to integrate ASPS client in their application and define a policy for secret distribution. Secrets for each application are distinguished by the value of mr_enclave. Vault is supported as the default KMS backend. Users can also store their secrets in json file instead.

Setup KMS Server

Build docker image and start Key Management Service (KMS). As of now, the KMS backend is Vault. We will support more KMS backends in future.

Typically, KMS server runs on a trusted machine on tenant side.

./ kms
./ kms

Setup Attestation and Provision Service

  1. Build image and start Attestation and Secret Provision Service (ASPS).

    ./ asps
    ./ asps ${pccs_service_ip}
  2. For demo purpose, we write some secrets to KMS server in advance.

    cd ~/store_secrets

    It will write app token as follows.

    Key             Value
    ---             -----
    Seal Type       shamir
    Initialized     true
    Sealed          false
    Total Shares    1
    Threshold       1
    Version         1.10.3
    Storage Type    file
    Cluster Name    vault-cluster-be481703
    Cluster ID      b8b03960-4e0f-e091-3fce-80da10796874
    HA Enabled      false


    Success! Enabled the kv secrets engine at: occlum/1/
    Success! Data written to: occlum/1/image_key
    Generating RSA private key, 1024 bit long modulus (2 primes)
    e is 65537 (0x010001)
    writing RSA key
    Success! Data written to: occlum/1/rsa_pubkey
    Success! Data written to: occlum/1/rsa_prikey
    Success! Enabled the kv secrets engine at: occlum/2/
    Success! Data written to: occlum/2/image_key
    Generating RSA private key, 1024 bit long modulus (2 primes)
    e is 65537 (0x010001)
    writing RSA key
    Success! Data written to: occlum/2/rsa_pubkey
    Success! Data written to: occlum/2/rsa_prikey
    Success! Uploaded policy: app1_policy


    Success! Uploaded policy: app2_policy


  3. Configure ASPS instance in the ASPS container

    cd ~/demos/attestation-secret-provision

    It generated occlum_instance_client and occlum_instance_server, and policy_vault.json is in the occlum_instance_server.

    # policy_vault.json
        "kms" : "vault",
        "addr" : "",
        "auth_method" : "token",
        "root_key" : <your_root_token>,
        "app_list" : [
                "id" : 1,
                "mr_enclave" : <your_mr_enclave>,
                "app_token" : <your_app_token>,
                "secrets" : {
                    "master_key" : "occlum/1/image_key",

    User need to adjust the policy manifest above accordingly. Replace the value of mr_enclave with the expected value of mr_enclave. Replace the value of *_token with the *_TOKEN generated previously. Configure secrets with the actual secret key names and corresponding values or KMS path. The key is "master_key" and the value is "occlum/1/image_key" in this example.

    Re-build the occlum_instance_server instance.

    cd occlum_instance_server
    occlum build
    cd -

Start ASPS Server and Verify ASPS Client via RA-TLS

  1. Start the ASPS server in the ASPS container on a trusted machine typically.

    # Run the server
    ./ server &
  2. Start the ASPS client running as an application in the ASPS container on an untrusted machine typically.

    # Run the client
    ./ client

RA-TLS output in RA-TLS

The ASPS server:

DcapQuote: new
DcapQuote: get_quote_size
DcapQuote: generate_quote
DcapQuote: close
DcapQuote: new
DcapQuote: get_supplemental_data_size
DcapQuote: verify_quote
Succeed to verify the quote!
DcapQuote: close
remote attestation
  |- verify result  :  success

The ASPS client:

Secret received: 42-cd-4b-24-f6-0f-a5-33-85-ca-03-74-0d-4b-91-d7