richardfan1126
commented
1 month ago Hi @edwardysun
The KMS encrypt action doesn't support attestation document. So we cannot implement it
Open edwardysun opened 1 month ago
richardfan1126
commented
1 month ago Hi @edwardysun
The KMS encrypt action doesn't support attestation document. So we cannot implement it
edwardysun
commented
1 month ago I see. Would an alternate approach like this be valid?
Feels like a bit of a workaround. Am I not considering something that would cause this approach to be insecure?
richardfan1126
commented
1 month ago I see. Would an alternate approach like this be valid?
- Generate a data key (using kmstool's genkey) - creating (Plaintext, Ciphertext) pair
- Encrypt the value I intend to keep secret with the Plaintext from above. Store this encrypted value and the Ciphertext from above. Do this encryption outside of KMS
- When I need to decrypt, call kmstool decrypt with Ciphertext from step 1 to receive Plaintext. Use this to decrypt the encrypted value in step 2
Feels like a bit of a workaround. Am I not considering something that would cause this approach to be insecure?
@edwardysun Correct, this is actually what Genkey is intended to achieve.
Just make sure the "Plaintext" is properly discarded after the encryption
edwardysun
commented
1 month ago Got it, thank you!
I just tried this out, but the cli appears to not be returning any response in stdout or stderr. I've verified the KMS key ID, region, credentials, and the access policy of the key contains kms:GenerateDataKey for the enclave. What scenario does the cli not return a response?
I noticed that the kmstool-enclave-cli only supports a decrypt, genkey, and genrandom. Is there a reason why encrypt is not supported? I'd like to call a KMS encrypt operation on a plaintext inside the enclave. What is the best approach for doing that?
Thank you