Encrypted virtual File System with TDX-RA¶
Intel TDX (Trust Domain Extensions) technology provides runtime security for VMs through hardware encryption. This solution aims to provide storage security (via LUKS) and remote attestation (via gRPC-RA-TLS) enhancements for Intel TDX.
Introduction¶
Intel TDX is a CPU hardware-based isolation and encryption technology that provides runtime data security (such as CPU registers, memory data, and interrupt injection) for services within a TDX VM instance. Intel® TDX provides default out-of-the-box protection for your instances and applications. You can migrate existing applications to TDX instances to secure them without modifying application code.
The LUKS (Linux Unified Key Setup) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux. LUKS is used to encrypt a block device. The contents of the encrypted device are arbitrary, and therefore any filesystem can be encrypted, including swap partitions. The LUKS implements a platform-independent standard on-disk format for use in various tools. This not only facilitates compatibility and interoperability among different programs, but also assures that they all implement password management in a secure and documented manner.
The gRPC-RA-TLS technology provide identity authentication and key transmission support for LUKS, which simplifies the process of decrypting and mounting, and allow it to be safely and automatically deployed.
Architecture¶
On the trusted side, users use secret keys to create encrypted block files, store secret data into it, and then deploy the get secret service to manage the keys.
The user copies the encrypted block file from the trusted end to the non-trusted end.
On the untrustworthy side, the LUKS storage service communicates with the trusted side for attestation and getting the key, then decrypts and mounts the block file through the key, so that the application can safely read the data from the mounting path.
Deployment¶
Setup LUKS environment¶
# for centos
yum install cryptsetup
# for ubuntu
apt install cryptsetup
Create encrypted block file¶
This command will create luks block file and bind it to a idle loop device.
VIRTUAL_FS=/root/vfs
./create_encrypted_vfs.sh ${VIRTUAL_FS}
After above, user need to create env LOOP_DEVICE to bind to the loop device manually.
export LOOP_DEVICE=<the binded loop device in outputs>
Mount encrypted block file¶
Mount and format via password
The block loop device needs to be formatted as
ext4on first mount.FS_DIR=luks_fs ./mount_encrypted_vfs.sh ${LOOP_DEVICE} ${FS_DIR} formatNote: only need to format device on first mount.Mount without format via password
FS_DIR=luks_fs ./unmount_encrypted_vfs.sh ${VIRTUAL_FS} ${FS_DIR} ./mount_encrypted_vfs.sh ${LOOP_DEVICE} ${FS_DIR} notformatMount without format via
gRPC-ra-tlsbuild
get_secretservice and copy runtime.refer to get_secret/README.md for detail.
start
get_secretservice.refer to get_secret/README.md for detail.
mount with
get_secretservice.FS_DIR=luks_fs ./unmount_encrypted_vfs.sh ${VIRTUAL_FS} ${FS_DIR} export hostname=localhost:50051 ./mount_encrypted_vfs.sh ${LOOP_DEVICE} ${FS_DIR} notformat get_secret
Cloud Practice¶
Aliyun ECS
Aliyun ECS (Elastic Compute Service) is an IaaS (Infrastructure as a Service) level cloud computing service provided by Alibaba Cloud. It builds eighth generation security-enhanced instance families based on Intel® TDX technology to provide a trusted and confidential environment with a higher security level.
About how to build TDX confidential computing instance, please refer to the below links:
Chinese version: https://www.alibabacloud.com/help/zh/elastic-compute-service/latest/build-a-tdx-confidential-computing-environment
English version:https://www.alibabacloud.com/help/en/elastic-compute-service/latest/build-a-tdx-confidential-computing-environment
Notice: Ali TDX instance is under external public preview.