Documentation Index

Fetch the complete documentation index at: https://support.fortanix.com/llms.txt

Use this file to discover all available pages before exploring further.

Azure Confidential VM Attestation - Linux

  • Updated on Jun 26, 2026
  • Published on Apr 10, 2026
  • 3 minute(s) read
Prev Next

1.0 Introduction

This article describes the procedure for completing the attestation workflow for an Azure Confidential Virtual Machine (CVM) using Fortanix Confidential Computing Manager (CCM) in Linux-based environments.

After configuring the application and build in Fortanix CCM and registering the required Platform Configuration Register (PCR) values, the Azure CVM must run the Fortanix Attestation Client for Linux to establish trust and register itself as an approved compute instance.

2.0 Prerequisites

Before proceeding, ensure the following:

  • Ensure to download the Fortanix Azure CVM Attestation Client binary from here.

  • The Azure CVM has been deployed and is accessible.

  • A Fortanix CCM application and its associated build have been created and approved.

  • PCR values collected from the Azure CVM environment have been mapped to the build in Fortanix CCM. For more information on creating Azure VMs and performing PCR extraction, refer to Azure Confidential VM Setup - Linux.

  • Network access exists between the Azure CVM and Fortanix CCM endpoint.

  • You have access to the following configuration values:

    • Fortanix CCM tenant URL

    • Join token

NOTE

Attestation cannot proceed if the application build has not been approved in Fortanix CCM.

3.0 Configure Execution Permissions

Before configuring permissions, run the following command to make the azure-cvm-attestation-client file executable:

chmod +x ./ccm_attestation_client_azure_cvm_linux

The attestation client can run either as root or as a restricted user, depending on system configuration.

Option 1: Run as root

No additional configuration is required.

Option 2: Run as non-root

Run the following command to verify whether TPM devices are readable by non-root users:

stat -c%G /dev/tpmrm0

If the output indicates the resource belongs to the tss group, run the following command to add the current user to this group:

sudo usermod -aG tss $USER

NOTE

Log in again to apply the updated group membership.

4.0 Configure Environment Variables

The Fortanix Attestation Client uses the following environment variables:

NOTE

The JOIN_TOKEN is mandatory. Without it, the node will not register with Fortanix CCM.

Environment Variable

Default Value

Description

RUST_LOG

ERROR

Set to DEBUG to enable verbose logging.

RUST_BACKTRACE

0

Set to 1 to enable panic backtraces.

MANAGER_ENDPOINT

https://ccm.fortanix.com

Fortanix CCM service endpoint for attestation requests.

JOIN_TOKEN

unset

Must be set to the join token generated in Fortanix CCM.

Example configuration:

export RUST_LOG=debug
export MANAGER_ENDPOINT=https://ccm. fortanix.com
export JOIN_TOKEN=cccccbrenhlrinntnlhubfuulnbfnnchrltbvcchbelc

5.0 Generate a Join Token

Perform the following steps to generate a join token in Fortanix CCM:

  1. Log in to Fortanix Armor Platform. For more information, Getting Started with Fortanix Armor.

  2. Navigate to the Fortanix CCM user interface (UI). For more information, refer to Fortanix Armor Solutions.

  3. In the CCM user interface (UI) left navigation panel, click Infrastructure → COMPUTE NODES → Azure SEV Containers, and then click ADD NODE.

    Figure 1: Add node

  4. In the Enroll Compute Node window, click COPY to copy the Join Token. This Join Token is used by the compute node to authenticate itself.

6.0 Run the Attestation Client

Run the following command to execute the attestation client:

sudo -E ./ccm_attestation_client_azure_cvm_linux

NOTE

You can also set the environment variables and run the attestation client through a script.

Example script: test.sh

export RUST_LOG=debug
export MANAGER_ENDPOINT=https://ccm.fortanix.com  
export JOIN_TOKEN=<JOIN TOKEN VALUE>
sudo -E ./ccm_attestation_client_azure_cvm_linux

Run the script using the following command:

bash test.sh

The above script sets the environment variables.

The attestation process begins automatically. During this time, the client collects platform evidence, verifies signatures, and submits measurements to Fortanix CCM. The process may take several minutes, depending on the compute environment and network conditions.

Figure 2: Evidence and certificate are fetched

NOTE

Running the attestation client multiple times for the same build generates a new certificate each time. This allows users to obtain new certificates when previous ones expire.

7.0 Verify Attestation Status in Fortanix CCM

After the attestation client has completed execution, verify the attestation result in Fortanix CCM by confirming that the attestation certificate is available for download.

Perform the following steps to download the certificate:

  1. Navigate to the Fortanix CCM UI. For more information, refer to Fortanix Armor Solutions.

  2. Navigate to Applications and select the Azure CVM application, then go to its detailed view and navigate to CERTIFICATES tab.

  3. Click DOWNLOAD CERTIFICATE to verify its validity.

Attestation is considered successful when the attestation certificate appears and is available for download. This confirms that the hardware measurements match the PCR values configured for the build in Fortanix CCM.

Related articles

Platform
Fortanix Armor
Armet AI Key Insight Data Security Manager Confidential Computing Manager
Open Source Platform
Enclave Development Platform®

Solutions
Use Cases
Legacy to Cloud Infrastructure Migration Regulatory Compliance Post-Quantum Readiness Secure, Data-Driven Innovation
Industry
Healthcare Banking & Financial Services Fintech Manufacturing Federal Government

Company
About Us Partners Careers Confidential Computing University Blog FAQ Contact Us Awards Events Webinars Press News Services Media Kit Newsletters

Customers

Resources

Support
Fortanix-logo

4.6

star-ratings

As of August 2025

Request a Demo