Encrypted virtual File System with TDX-RA¶
Intel TDX (Trust Domain Extensions) technology provides runtime
security for VMs through hardware encryption. This solution aims to provide storage security
(via LUKS) and remote attestation
(via gRPC-RA-TLS) enhancements for Intel TDX
.
Introduction¶
Intel TDX is a CPU hardware-based isolation and encryption technology that provides runtime data security (such as CPU registers, memory data, and interrupt injection) for services within a TDX VM instance. Intel® TDX provides default out-of-the-box protection for your instances and applications. You can migrate existing applications to TDX instances to secure them without modifying application code.
The LUKS
(Linux Unified Key Setup) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux. LUKS is used to encrypt a block device. The contents of the encrypted device are arbitrary, and therefore any filesystem can be encrypted, including swap partitions. The LUKS
implements a platform-independent standard on-disk format for use in various tools. This not only facilitates compatibility and interoperability among different programs, but also assures that they all implement password management in a secure and documented manner.
The gRPC-RA-TLS
technology provide identity authentication and key transmission support for LUKS, which simplifies the process of decrypting and mounting, and allow it to be safely and automatically deployed.
Architecture¶
On the trusted side, users use secret keys to create encrypted block files, store secret data into it, and then deploy the get secret
service to manage the keys.
The user copies the encrypted block file from the trusted end to the non-trusted end.
On the untrustworthy side, the LUKS storage service
communicates with the trusted side for attestation and getting the key, then decrypts and mounts the block file through the key, so that the application can safely read the data from the mounting path.
Deployment¶
Setup LUKS environment¶
# for centos
yum install cryptsetup
# for ubuntu
apt install cryptsetup
Create encrypted block file¶
This command will create luks encrypted block file.
VFS_SIZE=1G
VFS_PATH=/root/vfs
./create_encrypted_vfs.sh ${VFS_PATH} ${VFS_SIZE}
Mount encrypted block file¶
Mount via password
VFS_PATH=/root/vfs MOUNT_PATH=/mnt/luks_fs ./mount_encrypted_vfs.sh ${VFS_PATH} ${MOUNT_PATH}
Mount via
gRPC-ra-tls
build
secretmanager
service and prepare runtime.refer to get_secret/README.md for detail.
start
secretmanager
service.refer to get_secret/README.md for detail.
mount with
secretmanager
service.APP_ID=<APP_ID> RA_SERVICE_ADDRESS=localhost:50051 VFS_PATH=/root/vfs ./mount_encrypted_vfs.sh ${VFS_PATH} ${MOUNT_PATH} ${APP_ID}
Please remember the
loop device
andluks mapper
from output, it will be used inUnmount encrypted block file
phase.
Unmount encrypted block file¶
MAPPER_PATH=<the luks mapper>
LOOP_DEVICE=<the binded luks loop device>
./unmount_encrypted_vfs.sh ${MOUNT_PATH} ${MAPPER_PATH} ${LOOP_DEVICE}
Cloud Practice¶
Aliyun ECS
Aliyun ECS (Elastic Compute Service) is an IaaS (Infrastructure as a Service) level cloud computing service provided by Alibaba Cloud. It builds eighth generation security-enhanced instance families based on Intel® TDX technology to provide a trusted and confidential environment with a higher security level.
About how to build TDX confidential computing instance, please refer to the below links:
Chinese version: https://www.alibabacloud.com/help/zh/elastic-compute-service/latest/build-a-tdx-confidential-computing-environment
English version:https://www.alibabacloud.com/help/en/elastic-compute-service/latest/build-a-tdx-confidential-computing-environment
Notice: Ali TDX instance is under external public preview.