Quickstart Guide – Fortanix

Introduction

Fortanix Enclave Manager enables an application to run in a confidential environment. The solution orchestrates critical security policies such as identity verification, data access control, and code attestation for enclaves that are required for confidential computing.

This quick-start guide will help you get started. For a detailed user guide refer to https://support.fortanix.com/hc/en-us/sections/360008695591-User-Guide

Getting Started Video:

Prerequisites:

A private Docker registry to push converted application image(s)
An Azure Portal subscription account

Step 1: Signup and Log in to Fortanix Enclave Manager SaaS

Visit https://em.fortanix.com/ and signup.
After your account is approved by the administrator, log in by entering your email id and password.

Figure 1: Logging in

Step 2: Create and Select an Account

Once you sign up and log in, you will be taken to the Accounts page. Click ADD ACCOUNT to create a new account.
Enter a name for the new account and optionally add a custom logo for the account. Click CREATE ACCOUNT to complete the account creation.

Create an account

Figure 2: Create an account

Once the account is created, click SELECT to select the newly created account. Click GO TO ACCOUNT to enter the account and start enrolling the compute nodes and creating applications.

Select an account

Figure 3: Select an account

Step 3: Add an Application - Example : Flask Server

In the Applications tab, click the + APPLICATION button to add an application. In this example, let us add a Flask Server application.

Create an application

Figure 4: Create an application

Fill the relevant details as shown below and click ADD. You can use the Fortanix's docker registry for the sample app.

Details:
Docker Hub: https://hub.docker.com/u/fortanix/

App: fortanix/python-flask

Optional: You can run the app with the following command

sudo docker run fortanix/python-flask

NOTE: It is recommended to use your private docker registry to keep the output image.

App details

Figure 5: Configure an application

Step 4: Create an Image

A Fortanix Enclave Manager Image is a particular software release or a version of an application. Each image is associated with one enclave hash (MRENCLAVE).
Click on the Images tab to create an image.

Create an image

Figure 6: Create an image

Enter the REGISTRY CREDENTIALS for Output image name. The Registry Credentials are the credentials to access the private docker registry where the image will be pushed. Also, provide the image tag. Click Create to proceed.

Figure 7: Create an image

Step 5: Domain and Image Whitelisting

An application whose domain is whitelisted will get a TLS Certificate from Fortanix Enclave Manager. Similarly when an application runs from the converted image, the application will try to contact Fortanix Enclave Manager and ask for a TLS Certificate.
On the Tasks Tab, approve the pending requests to whitelist the domain and image.

Whitelist the domain and Image

Figure 8: Whitelist the domain and Image

Step 6: Enroll Compute Node Agent

In the Compute Nodes tab, click the ENROLL COMPUTE NODE button.
Click GENERATE TOKEN to generate the Join Token. This Join Token is used by the compute node to authenticate itself.

Figure 9: Copy the generated Join Token

Visit https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortanix.rte_node_agent to create the Node Agent to register the compute node.
NOTE: Alternatively, you can also download the latest node agent from https://support.fortanix.com/hc/en-us/articles/360043407012-Fortanix-Node-Agent

Figure 10: Create node agent in Azure

Fill the information as given below to spin up the node agent on Azure. Paste the Token generated earlier on the "Join Token" field on Azure portal. NOTE: Fortanix Enclave Manager service is currently available in (US) East US, (UK) South UK, or Central Canada regions only.

Figure 11: Configure the node agent

Once the node agent is created, the compute node will be enrolled in Enclave Manager, you will see it under the Compute Nodes overview table.

Figure 12: Node enrolled

Step 7: Run the application image on the Compute Node

Run this application image on the node by using the following command:

For this example Application, the command would be

sudo docker run --device /dev/isgx:/dev/isgx --device /dev/gsgx:/dev/gsgx -v /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket -e NODE_AGENT_BASE_URL=http://52.152.206.164:9092/v1/ fortanix-private/python-flask-sgx

Where,

9092 is the port on which Node Agent listens up
52.152.206.164 is the Node Agent Host IP
fortanix-private/python-flask-sgx is the converted app that can be found in the Images tab under Image Name column in the Images table.

NOTE:

Please use your own inputs for Node IP, Port, and Converted Image in the above format. The information in the example above is just a sample.

Step 8: Verify and Monitor running application

Click the Applications tab and verify that there is a running application image associated with it and displayed with the application in the detailed view of the application.

Figure 13: Deployed Application

For quick support, please join our slack community: https://fortanix.com/community/
Channel: #encalvemanager