Using Fortanix Confidential Computing Manager with PostgreSQL

1.0 Introduction

This article describes how to deploy a PostgreSQL (PSQL) image in an Amazon Web Services (AWS) Nitro Enclave using Fortanix Confidential Computing Manager (CCM).

PostgreSQL, commonly referred to as Postgres, is an object-relational database management system (ORDBMS) that emphasizes extensibility and standards compliance. As a database server, PostgreSQL securely stores and manages data and provides access to that data for applications running on the same system or across a network.

2.0 Prerequisites

Ensure that the following:

• A Fortanix Armor account.

• An AWS EC2 instance with AWS Nitro support, Docker installed, and enrolled in Fortanix CCM.

3.0 Deploy PostgreSQL on AWS Nitro

3.1 Create an Application

Perform the following steps to create an application using the Fortanix CCM UI:

1. In the CCM UI left navigation panel, navigate to Applications and then on the ACTIVE APPLICATION tab and click ADD APPLICATION.

2. In the Add application dialog box, select Enclave OS and click NEXT.

3. In the Add application form, enter the application details and click ADD APPLICATION.

For detailed instructions, refer to Add Application.

3.2 Create an Application Build

Perform the following steps to create a build using the Fortanix CCM UI:

1. In the application details page, go to BUILDS tab and click ADD BUILD.

2. In the Add Build form:

   1. Enter the tag of the application input Docker image.

   2. Enter the registry credentials for the output image. Registry credentials are used to access the private Docker registry where the image will be pushed. The input image does not require credentials because it is stored in a public registry.

3. Click ADD BUILD.

For detailed instructions, refer to Create Application Build.

3.3 Approve the Application Build

From the CCM UI left navigation panel, select Tasks. On the Tasks page, select the build task and click APPROVE.

3.4 Run the Application

On the AWS Nitro compute node, run the converted application using the following command:

$ sudo docker run -it --rm -e ALLOW_EMPTY_PASSWORD=yes -e RUST_LOG=info –privileged -e NODE_AGENT=<IP> -v /run/nitro_enclaves:/run/nitro_enclaves --pull=always <converted_image_name:tag>

Where,

• 9092 is the default port on which the Node Agent listens.

• <node-agent-ip> is the IP address of the compute node. You can find this value on the Compute Nodes page under the Infrastructure tab.

• <converted-image-name:tag> is the converted PostgreSQL image.

For example,

$ sudo docker run -it --rm -e ALLOW_EMPTY_PASSWORD=yes -e RUST_LOG=info –privileged -e NODE_AGENT=http://172.31.14.110:9092/v1/ -v /run/nitro_enclaves:/run/nitro_enclaves --pull=always <image_name:tag>This should start a PostgreSQL server in the AWS Nitro enclave.

3.5 Connect to the PostgreSQL Server

Run the following command to start a PostgreSQL client:

$ sudo docker run -it <converted_image_name:tag> psql -h <ip-addr-server-container>

Run the following command to identify the IP address of the PostgreSQL server container:

$ sudo docker inspect <container name>

For example,

$ sudo docker run -i bitnami/postgresql:latest psql -h 172.17. 0.0 -l

This command starts the PostgreSQL client and connects to the PostgreSQL server.

3.6 Verify the Application

To verify that the application is running:

1. In the Fortanix CCM UI, navigate to Applications.

2. Open the application details page.

3. Verify that a running application build is displayed for the application.

NOTE

File persistence is currently not supported for converted PostgreSQL applications.