Attestation based Enclave Configuration Service
KubeTEE AECS provides the secret generation, management, storage and dispatch service to TEE applications. After bidirectional authentication based on remote attestation between AECS and all TEE-based application service, each service enclave instance will share the secrets from AECS server, and use the secrets for later use cases.
As far as now, we support the following type of secrets:
- AES-GCM256 key
- RSA key pair
- SM2 key pair
- Self-signed certificate and key
- Secret imported by user (Bring your own secret)
- Application sensitive configurations as key-value pair
We provide a public docker image for AECS server test only. It's runing in simulation mode and also has debug log messages. Try it simply like this:
./deployment/aecs_test.sh start # stop command to stop it
In case you want to build the AECS and create the docker image by your self, please follow the steps (2.2.1 ~ 2.2.4) below.
If it's the first time you build the project after clone the source code, please update the sub-modules like the this.
git submodule update --init --recursive
./deployment/dockerbuild.sh
You need to generate the test certificates like this (for development and test only, should use formal certificates in product environment):
./deployment/generate_certs_and_kubeconfig.sh
Then create the image with test certificates and configurations.
./deployment/create_image.sh
./deployment/run_image.sh ./aecs_server
# Save the AECS identity key into storage for backup for the first time to start the aecs server
# For the second time start the aecs server, this provision action will reload the identity key.
./deployment/run_image.sh ./aecsadmin --config /etc/kubetee/aecs_admin_test.kubeconfig --action provision --hostname localtest
# Create a enclave service named "service1" and list it
./deployment/run_image.sh ./aecsadmin --config /etc/kubetee/aecs_admin_test.kubeconfig --action register --service service1 --pubkey /etc/certs/service_admin_public.pem
./deployment/run_image.sh ./aecsadmin --config /etc/kubetee/aecs_admin_test.kubeconfig --action list
# Create three test secrets for service1 and list all of them
./deployment/run_image.sh ./serviceadmin --config /etc/kubetee/service_admin_test.kubeconfig --action create --policy /etc/kubetee/service_secret_policy.yaml
./deployment/run_image.sh ./serviceadmin --config /etc/kubetee/service_admin_test.kubeconfig --action list
KubeTEE AECS is not final stable at this moment. There will be some improvements or new feature updates later. Anyone is also welcome to provide any form of contribution, please see CONTRIBUTING.md for details.
For any security vulnerabilities or other problems, please contact us by email.
KubeTEE AECS is released by Ant Group under Apache 2.0 License and also used some other opensource code. See the license information here for detail.