Using Fortanix Confidential Computing Manager with PostgreSQL

1.0 Introduction

This article describes how to integrate a PostgreSQL (PSQL) image in Amazon Web Services (AWS) Nitro using Fortanix Confidential Computing Manager (CCM).
PostgreSQL, often simply "Postgres", is an object-relational database management system (ORDBMS) emphasizing extensibility and standards compliance. As a database server, its primary function is to store data securely and in accordance with best practices, and then retrieve it when other software applications, whether on the same computer or on another computer across a network (including the Internet), request it.

2.0 Prerequisites

• A Fortanix CCM account.
• Nitro-enabled AWS EC2 instance with Docker installed and enrolled in Fortanix CCM.

3.0 Running the PSQL on AWS Nitro

1. In the Fortanix CCM UI, click the + APPLICATION button to create a new AWS Nitro application.
    
   Figure 1: Create new app
2. Add an Enclave OS application.
     See the User's Guide: Add and Edit an Application” article for more information.
   Figure 2: Create app
3. Approve the domain for the Application. See the article “User’s Guide: Tasks” for more information.
4. In the detailed view of the application, click the + IMAGES button to create a new application image.
    
   Figure 3: Create application image
5. Create an image of the application by providing a proper tag. See the “User's Guide: Create an Image” article for more information.
    
   Figure 4: Create image
6. Approve the image for the application. See the article “User's Guide: Tasks” for more information.
    
   Figure 5: Approve image
7. Now on your AWS nitro machine, run the application image using the following command:

   $ sudo docker run -it --rm -e ALLOW_EMPTY_PASSWORD=yes -e RUST_LOG=info –privileged -e NODE_AGENT_BASE_URL=<IP> -v /run/nitro_enclaves:/run/nitro_enclaves --pull=always <converted_image_name:tag>

   
   Where,
   
   • 9092 is the default port on which Node Agent listens to.
   • <IP> is the node agent Host IP (Your IP address will be different and can be checked on the “Compute Nodes” page under the Infrastructure tab).
   For example,
   

   $ sudo docker run -it --rm -e ALLOW_EMPTY_PASSWORD=yes -e RUST_LOG=info –privileged -e NODE_AGENT_BASE_URL=http://172.31.14.110:9092/v1/ -v /run/nitro_enclaves:/run/nitro_enclaves --pull=always <image_name:tag>

   
   This should start a PostgreSQL server in the AWS Nitro enclave.
     Figure 6: PostgreSQL server
8. Run the following command:

   $ sudo docker run -it <converted_image_name:tag> psql -h <ip-addr-server-container>

   The IP address of the server container can be found using the following command:

   $ sudo docker inspect <container name>

   For example,
   

   $ sudo docker run -i bitnami/postgresql:latest psql -h 172.17. 0.0 -l

   This should start up the PSQL client as shown below:
     Figure 7: PSQL client
9. To ensure the application is running, go to the Fortanix CCM UI and click the Applications tab. Verify that there is a running application image associated with it and displayed with the application in the detailed view of the application.
   
   NOTE

   The conversion does not currently support file persistence.