aws-nitro-enclaves-cli icon indicating copy to clipboard operation
aws-nitro-enclaves-cli copied to clipboard
verified publisher icon aws

Signing enclave images with HSM/KSM

Open yoavj1 opened this issue 5 years ago • 3 comments

Currently the only option to sign an enclave image is to pass the private key and the certificate to build-enclave command. However, it prevents storing the key in a secure storage like HSM or KSM, and using it only for signing without retrieving the key itself. One solution is to allow to add the signature after the enclave was created, so the signature can be produced independently from the enclave creation.

yoavj1 avatar Nov 24 '20 07:11 yoavj1

Thank you for the feature request. There are two topics here:

  1. Signing with an AWS KMS asymmetric key (and/or maybe a key from an HSM or Nitro Enclave :) ).
  2. Attaching/replacing a signature to an already created image.

petreeftime avatar Nov 24 '20 11:11 petreeftime

@petreeftime I guess that now, that you merged https://github.com/awslabs/aws-nitro-enclaves-cose/issues/5, it's possible to add the requested functionality to the CLI.

gal-fordefi avatar Aug 08 '22 13:08 gal-fordefi

Yes, it should be possible to add support for this.

petreeftime avatar Aug 09 '22 11:08 petreeftime