Getting started with cryptographic attestation: KMS Tool tutorial - AWS

Getting started with cryptographic attestation: KMS Tool tutorial

The AWS Nitro Enclaves SDK ships with a sample application, called KMS Tool, that demonstrates the cryptographic attestation process. The KMS Tool sample application is supported on both Windows and Linux parent instances.

KMS Tool includes two applications:

  • kmstool-instance—An application that runs on the parent instance. It connects to kmstool-enclave (over the vsock socket), passes credentials to the enclave, along with a base64-encoded message for decryption.

  • kmstool-enclave—An application that runs in an enclave. It uses the Nitro Enclaves SDK to call AWS KMS in order to decrypt the base64-encoded message received from the application running on the parent instance.

This tutorial shows you how to:

  • Launch an enclave-enabled parent instance.

  • Build a Docker image from a Docker file.

  • Convert a Docker image to an enclave image file.

  • Create an AWS KMS key.

  • Add attestation-based condition keys to a KMS key policy.

  • Create an enclave using an enclave image file.

The tutorial also discusses some best practices for preparing your enclave and KMS key for attestation. You can use this sample application as a reference for building your own enclave applications and for preparing your enclave and KMS keys for attestation.

For instructions on how to set up and use the KMS Tool sample application, see the AWS Nitro Enclaves SDK Github repository.