Azure Confidential VM Attestation - Linux

  • Published on Apr 10, 2026
  • 3 minute(s) read
Prev Next

1.0 Introduction

This article describes the procedure for completing the attestation workflow for an Azure Confidential Virtual Machine (CVM) using Fortanix Confidential Computing Manager (CCM) in Linux-based environments.

After configuring the application and image in Fortanix CCM and registering the required Platform Configuration Register (PCR) values, the Azure CVM must run the Fortanix Attestation Client for Linux to establish trust and register itself as an approved compute instance.

2.0 Prerequisites

Before proceeding, ensure the following:

  • Ensure to download the Fortanix Azure CVM Attestation Client binary from here.

  • The Azure CVM has been deployed and is accessible.

  • A Fortanix CCM application and its associated image have been created and approved.

  • PCR values collected from the Azure CVM environment have been mapped to the image in Fortanix CCM. For more information on creating Azure VMs and performing PCR extraction, refer to Azure Confidential VM Setup - Linux.

  • Network access exists between the Azure CVM and Fortanix CCM endpoint.

  • You have access to the following configuration values:

    • Fortanix CCM tenant URL

    • Join token

NOTE

Attestation cannot proceed if the application image has not been approved in Fortanix CCM.

3.0 Configure Execution Permissions

Before configuring permissions, run the following command to make the azure-cvm-attestation-client file executable:

chmod +x ./ccm_attestation_client_azure_cvm_linux

The attestation client can run either as root or as a restricted user, depending on system configuration.

Option 1: Run as root

No additional configuration is required.

Option 2: Run as non-root

Run the following command to verify whether TPM devices are readable by non-root users:

stat -c%G /dev/tpmrm0

If the output indicates the resource belongs to the tss group, run the following command to add the current user to this group:

sudo usermod -aG tss $USER

NOTE

Log in again to apply the updated group membership.

4.0 Configure Environment Variables

The Fortanix Attestation Client uses the following environment variables:

NOTE

The JOIN_TOKEN is mandatory. Without it, the node will not register with Fortanix CCM.

Environment Variable

Default Value

Description

RUST_LOG

ERROR

Set to DEBUG to enable verbose logging.

RUST_BACKTRACE

0

Set to 1 to enable panic backtraces.

MANAGER_ENDPOINT

https://ccm.fortanix.com

Fortanix CCM service endpoint for attestation requests.

JOIN_TOKEN

unset

Must be set to the join token generated in Fortanix CCM.

Example configuration:

export RUST_LOG=debug
export MANAGER_ENDPOINT=https://ccm. fortanix.com
export JOIN_TOKEN=cccccbrenhlrinntnlhubfuulnbfnnchrltbvcchbelc

5.0 Generate Join Token from Fortanix CCM

Perform the following steps to generate a Join Token from Fortanix CCM and register the node.

  1. Log in to https://ccm.fortanix.com.

  2. Click the Infrastructure → Compute Nodes menu item and click + ADD NODE on the Compute Nodes page.

    Figure 1: Enroll Compute Node

  3. In the ENROLL COMPUTE NODE window, a Join Token will be generated in the text box for "Get a join token to register a compute node". This Join Token is used by the compute node to authenticate itself.

    Figure 2: Join token generated

  4. Click COPY to copy the Join Token.

6.0 Run the Attestation Client

Run the following command to execute the attestation client:

sudo -E ./ccm_attestation_client_azure_cvm_linux

NOTE

You can also set the environment variables and run the attestation client through a script.

Example script: test.sh

export RUST_LOG=debug
export MANAGER_ENDPOINT=https://ccm.fortanix.com  
export JOIN_TOKEN=<JOIN TOKEN VALUE>
sudo -E ./ccm_attestation_client_azure_cvm_linux

Run the script using the following command:

bash test.sh

The above script sets the environment variables.

The attestation process begins automatically. During this time, the client collects platform evidence, verifies signatures, and submits measurements to Fortanix CCM. The process may take several minutes, depending on the compute environment and network conditions.

Figure 3: Evidence and certificate are fetched

NOTE

Running the attestation client multiple times for the same build generates a new certificate each time. This allows users to obtain new certificates when previous ones expire.

7.0 Verify Attestation Status in Fortanix CCM

After the attestation client has completed execution, verify the attestation result in Fortanix CCM by confirming that the attestation certificate is available for download.

Perform the following steps to download the certificate:

  1. Log in to Fortanix CCM.

  2. Navigate to Applications → CVM Application → IMAGES tab.

  3. Click the overflow menu next to the image entry and select VIEW CERTIFICATE.

    Figure 4: View certificates

  4. Download the certificate and verify its validity.

    Figure 5: Download the certificate

Attestation is considered successful when the attestation certificate appears and is available for download. This confirms that the hardware measurements match the PCR values configured for the image.

Related articles

Platform
Fortanix Armor
Armet AI Key Insight Data Security Manager Confidential Computing Manager
Open Source Platform
Enclave Development Platform®

Solutions
Use Cases
Legacy to Cloud Infrastructure Migration Regulatory Compliance Post-Quantum Readiness Secure, Data-Driven Innovation
Industry
Healthcare Banking & Financial Services Fintech Manufacturing Federal Government

Company
About Us Partners Careers Confidential Computing University Blog FAQ Contact Us Awards Events Webinars Press News Services Media Kit Newsletters

Customers

Resources

Support
Fortanix-logo

4.6

star-ratings

As of August 2025

Request a Demo