Encrypted virtual File System with TDX-RA

Intel TDX (Trust Domain Extensions) technology provides runtime security for VMs through hardware encryption. This solution aims to provide storage security (via LUKS) and remote attestation (via gRPC-RA-TLS) enhancements for Intel TDX.

Introduction

Intel TDX is a CPU hardware-based isolation and encryption technology that provides runtime data security (such as CPU registers, memory data, and interrupt injection) for services within a TDX VM instance. Intel® TDX provides default out-of-the-box protection for your instances and applications. You can migrate existing applications to TDX instances to secure them without modifying application code.

The LUKS (Linux Unified Key Setup) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux. LUKS is used to encrypt a block device. The contents of the encrypted device are arbitrary, and therefore any filesystem can be encrypted, including swap partitions. The LUKS implements a platform-independent standard on-disk format for use in various tools. This not only facilitates compatibility and interoperability among different programs, but also assures that they all implement password management in a secure and documented manner.

The gRPC-RA-TLS technology provide identity authentication and key transmission support for LUKS, which simplifies the process of decrypting and mounting, and allow it to be safely and automatically deployed.

Architecture

../../_images/tdx-encrypted-vfs.svg

On the trusted side, users use secret keys to create encrypted block files, store secret data into it, and then deploy the get secret service to manage the keys.

The user copies the encrypted block file from the trusted end to the non-trusted end.

On the untrustworthy side, the LUKS storage service communicates with the trusted side for attestation and getting the key, then decrypts and mounts the block file through the key, so that the application can safely read the data from the mounting path.

Deployment

Setup LUKS environment

# for centos
yum install cryptsetup

# for ubuntu
apt install cryptsetup

Create encrypted block file

This command will create luks encrypted block file.

VFS_SIZE=1G
VFS_PATH=/root/vfs
./create_encrypted_vfs.sh ${VFS_PATH} ${VFS_SIZE}

Mount encrypted block file

  • Mount via password

    VFS_PATH=/root/vfs
    MOUNT_PATH=/mnt/luks_fs
    ./mount_encrypted_vfs.sh ${VFS_PATH} ${MOUNT_PATH}
    
  • Mount via gRPC-ra-tls

    1. build secretmanager service and prepare runtime.

      refer to get_secret/README.md for detail.

    2. start secretmanager service.

      refer to get_secret/README.md for detail.

    3. mount with secretmanager service.

      APP_ID=<APP_ID>
      RA_SERVICE_ADDRESS=localhost:50051
      VFS_PATH=/root/vfs
      ./mount_encrypted_vfs.sh ${VFS_PATH} ${MOUNT_PATH} ${APP_ID}
      

      Please remember the loop device and luks mapper from output, it will be used in Unmount encrypted block file phase.

Unmount encrypted block file

MAPPER_PATH=<the luks mapper>
LOOP_DEVICE=<the binded luks loop device>
./unmount_encrypted_vfs.sh ${MOUNT_PATH} ${MAPPER_PATH} ${LOOP_DEVICE}

Cloud Practice

  1. Aliyun ECS

    Aliyun ECS (Elastic Compute Service) is an IaaS (Infrastructure as a Service) level cloud computing service provided by Alibaba Cloud. It builds eighth generation security-enhanced instance families based on Intel® TDX technology to provide a trusted and confidential environment with a higher security level.

    About how to build TDX confidential computing instance, please refer to the below links:

    Chinese version: https://www.alibabacloud.com/help/zh/elastic-compute-service/latest/build-a-tdx-confidential-computing-environment

    English version:https://www.alibabacloud.com/help/en/elastic-compute-service/latest/build-a-tdx-confidential-computing-environment

    Notice: Ali TDX instance is under external public preview.