See more

User's Guide: Convert an Application

  • Last updated:
  • access_time Reading time:

Introduction

You can convert your images to run in an EnclaveOS® environment by using the Fortanix SGX Container Converter. After your images are converted, you can deploy them on your SGX capable cluster.

Using SGX Converter Tool

The SGX Container Conversion tool modifies your existing Docker containers to run in the Fortanix Confidential Computing Manager (CCM) environment. The converter pulls your existing image, converts the Application, and pushes the resulting image to the specified location. After your images are converted, you can deploy them to your SGX capable workload container.

NOTE
The conversion process does not encrypt your application. Only data that is generated at runtime – after the application is started within an SGX enclave, is protected by Fortanix CCM.

Before you begin

Before you convert your applications, you should ensure that you fully understand the following considerations:

  • For security reasons, secrets must be provided at runtime - not placed in the container image that you want to convert. When an app is converted and running, you can verify through attestation that the application is running in an enclave before you provide any secrets.
  • Testing container environments include the following:
    • Debian 8
    • Debian 9
    • Ubuntu 16.04
    • Ubuntu 18.04
    • Java OpenJDK 8
    • Java OpenJ9 0.14

Prerequisites

  • Input image and Output image for conversion.

Steps                      

  1. Click the Tools tab in the Fortanix CCM UI.
  2. Click CONVERT AN APPLICATION. CCM_68.png
                                                                     Figure 1: Tools tab
     
  3. In the SGX container conversion form, fill all the required fields:
    • Source Image
    • Output Image
    • Enclave thread count

      Fill the optional field:

    • Enclave Memory
  4. Enter the REGISTRY CREDENTIALS for Source Image and Output Image. The Registry Credentials are the credentials to access the private docker registry from which an image is going to be pulled or pushed.
    • If you have added a registry in a particular account using the Settings page of Fortanix CCM, then the check box Use saved credentials will be selected by default and the registry names for input image and output image will be filled automatically for the Add Registry Credentials fields.
        CCM_69.png                                                        Figure 6: Add saved registry credentials  
       
    • If you have not saved any Registry Credentials in the Settings page of Fortanix CCM, then manually enter the registry credentials for the Input image name and Output image name. If the private docker registry is the same for the input image and the output image, then select the check box Use same credential as input image registry in the Output image name.
        CCM_70.png                                                            Figure 7: Add registry credentials manually
       
  5. Click CONVERT to convert the image.                                                            
  6. Once the image is converted, it will show up in the Output Image Path that you provided.