Using Fortanix Confidential Computing Manager to Build and Run Hashicorp Vault

1.0 Introduction

This article describes how to build and deploy a HashiCorp Vault server within an enclave using Fortanix Confidential Computing Manager (CCM) and Fortanix Enclave OS (operation system).

2.0 Authenticate to Fortanix Armor

Before you can issue any requests, you must authenticate to Fortanix Armor using the following commands:

cpath=$(mktemp -p "/tmp" -t "fortanix_ccm_cookie.XXXXX")
curl -u <email-address>:<password> -c $cpath -X POST https://ccm.fortanix.com/v1/sys/auth

Replace <email-address> and <password> with the email address and password of your Fortanix Armor account.

NOTE
Authentication session tokens are short-lived. If you receive the response {"message":"Forbidden","code":"FORBIDDEN"}, run the following command to refresh the session token:
curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -X POST https://ccm.fortanix.com/v1/sys/session/refresh

3.0 Select an Account Using an API Call

After authenticating to Fortanix Armor, select an account. Run the following command to list all available accounts:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" https://ccm.fortanix.com/v1/accounts

This command returns a JSON response similar to the following:

{"name":"My account","acct_id":"26eaa328-5eb4-41c7-b09b-8a3e0a0f65c7", ...}, ...

Copy the account ID of the account, in this example 26eaa328-5eb4-41c7-b09b-8a3e0a0f65c7 , that you want to use and run the following command:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -X POST https://ccm.fortanix.com/v1/sys/session/select_account/

4.0 Create an Application Using an API Call

Create a file named app.json with the following contents. Replace output_image_name with your private registry.

{
    "name":"Vault demo server",
    "description":"A hashicorp vault server demo",
    "input_image_name":"vault",
    "output_image_name":"fortanix-private/python-flask-nitro",
    "default_build_settings": {
        "sgx": {},
        "nitro_enclaves": {
            "cpu_count": 2,
            "mem_size": 1024,
            "enable_overlay_filesystem_persistence": true
        }
    },
    "group_id": "a8e8395e-096d-4eb8-9017-2098f2ab8327",
    "allowed_domains": [],
    "advanced_settings": {
        "entrypoint": [],
        "manifestEnv": [],
        "encryptedDirs": [],
        "rw_dirs": ["/vault", "/home/vault"],
        "certificate": {}
    },
    "custom_metadata": {
        "app_type": "ENCLAVE_OS"
    }
}

NOTE
The application writes to the /vault and /home/vault directories. These directories must be configured as read/write (rw_dirs) because Enclave OS configures application directories as read-only by default.

Create the application using the following API call:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d @app.json -X POST https://ccm.fortanix.com/v1/apps

This command returns information about the newly created application, including the application ID:

{"name":"Vault demo server","app_id":"cc386097-dcf7-4813-880a-ddacdafb48a2",...}

5.0 Create an Application Build Using an API Call

After creating the application, create a file named build.json with the following contents. Replace <app_id> with the ID of the newly created application. Replace <username> and <password> with the credentials of the registry where the converted image will be stored. This registry was specified earlier as output_image_name.

{
  "app_id":"",
  "input_docker_version":"latest",
  "output_docker_version":"latest",
  "outputAuthConfig":{
    "username":"",
    "password":""
  }
}

For more information about configuring registry credentials without including credentials in this file, refer to Quickstart Guide.

Create the build using the following command:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d @build.json -X POST https://ccm.fortanix.com/v1/builds/convert-app

This command returns information about the build, including the <task_id> . In this example, f0d815b6-9520-4ce4-b4f4-6a82a718bb7e .

{"build_name":"/vault-sgx:latest","pending_task_id":"f0d815b6-9520-4ce4-b4f4-6a82a718bb7e",...}

Approve the image using the <task_id> and the following command:

curl -b $cpath -c $cpath -H "X-CSRF-Header:true" -H "Content-Type: application/json" -d '{"status":"APPROVED"}' -X PATCH https://ccm.fortanix.com/v1/tasks/

6.0 Run the Application

After creating and approving the application build, run the application on an SGX compute node.

Run the application using the following command:

docker run --privileged --volume /dev:/dev -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e 'VAULT_LOCAL_CONFIG={"listener": {"tcp": {"address": "127.0.0.1:8000", "tls_disable": true}}, "disable_mlock": true}' -e 'VAULT_API_ADDR=http://127.0.0.1:8000' -e SKIP_SETCAP=1 --network=host /vault-sgx

Where,

8000 is the port on which HashiCorp Vault listens.
/vault-sgx:latest is the converted application image.
SKIP_SETCAP skips the setcap call. Vault uses setcap to enable mlock for memory pages containing sensitive information so that they are not swapped to disk. This step is skipped because setcap may not function in Enclave OS, mlock is not required for this purpose in Enclave OS applications, and the additional process creation impacts SGX performance.

Use "disable_mlock": true in VAULT_LOCAL_CONFIG and do not use --cap-add=IPC_LOCK.

To verify that the Vault server is running, run the following command:

curl http://127.0.0.1:8000/v1/sys/init

The command returns output similar to the following:

"{"initialized":true}"

Documentation Index