Introduction
You can convert your images to run in an EnclaveOS® environment by using the Fortanix SGX Container Converter. After your images are converted, you can deploy them on your SGX capable cluster.
Using SGX Converter Tool
The SGX Container Conversion tool modifies your existing Docker containers to run in the Fortanix Confidential Computing Manager (CCM) environment. The converter pulls your existing image, converts the Application, and pushes the resulting image to the specified location. After your images are converted, you can deploy them to your SGX capable workload container.
Before you begin
Before you convert your applications, you should ensure that you fully understand the following considerations:
- For security reasons, secrets must be provided at runtime - not placed in the container image that you want to convert. When an app is converted and running, you can verify through attestation that the application is running in an enclave before you provide any secrets.
- Testing container environments include the following:
- Debian 8
- Debian 9
- Ubuntu 16.04
- Ubuntu 18.04
- Java OpenJDK 8
- Java OpenJ9 0.14
Prerequisites
- Input image and Output image for conversion.
Steps
- Click the Tools tab in the Fortanix CCM UI.
- Click CONVERT AN APPLICATION.
Figure 1: Tools tab
- In the SGX container conversion form, fill all the required fields:
- Source Image
- Output Image
- Enclave thread count
Fill the optional field:
- Enclave Memory
- Enter the REGISTRY CREDENTIALS for Source Image and Output Image. The Registry Credentials are the credentials to access the private docker registry from which an image is going to be pulled or pushed.
- If you have added a registry in a particular account using the Settings page of Fortanix CCM, then the check box Use saved credentials will be selected by default and the registry names for input image and output image will be filled automatically for the Add Registry Credentials fields.
Figure 6: Add saved registry credentials
- If you have not saved any Registry Credentials in the Settings page of Fortanix CCM, then manually enter the registry credentials for the Input image name and Output image name. If the private docker registry is the same for the input image and the output image, then select the check box Use same credential as input image registry in the Output image name.
Figure 7: Add registry credentials manually
- If you have added a registry in a particular account using the Settings page of Fortanix CCM, then the check box Use saved credentials will be selected by default and the registry names for input image and output image will be filled automatically for the Add Registry Credentials fields.
- Click CONVERT to convert the image.
- Once the image is converted, it will show up in the Output Image Path that you provided.