Is it possible to backup or snapshot AWS Nitro Enclave instances?

0

We are considering using AWS Nitro Enclaves to handle signing payloads behind a time-lock puzzle. We are considering Nitro Enclaves because the signing standards are not available in HSM and because of the time-lock puzzle.

We also have the requirements that signing keys are never directly accessible for any IAM user, but that they are crash-resistant. That is, we don't want a crash to cause us to suddenly lose access to one of these keys.

Using KMS-based signing doesn't work because they are subject to IAM Role governance.

Generating keys within the Nitro Enclave without a way to restore at least some of the cryptographic material relevant to this generation would also not work because that is not crash-resistant.

I don't see documentation covering enclave backups, snapshots, or storage of cryptographic material. I suppose much of how these operations function normally would ruin or require ruining enclave security.

Is there something I'm missing? Is it possible to backup or snapshot AWS Nitro Enclave instances?

Liam
asked a month ago101 views
2 Answers
4
Accepted Answer

No Built-In Snapshot/Backup: AWS Nitro Enclaves do not support snapshots or backups due to their design focusing on security and isolation.

Alternative Approaches: To achieve crash resistance, consider storing key material outside the enclave in a secure manner, using redundant enclaves, or integrating with external key management solutions that are not reliant on IAM roles for access.

profile pictureAWS
EXPERT
Deeksha
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed a month ago
  • consider storing key material outside the enclave in a secure manner... integrating with external key management solutions that are not reliant on IAM roles for access.

    Is there a product you would recommend for this? I'm not seeing how to achieve this with AWS HSM or KMS-adjacent services. I also don't know a third-party that would make sense. It generally seems a like a very circular problem--unless someone has developed a solution designed specifically for it.

    redundant enclaves

    Assuming we are still generating the keys inside the enclave, this approach would rely on some form of encrypted enclave-to-enclave communication of the secrets (or parts of the secrets), right?

    In terms of actual availability, how should we reason about risks? Are enclave outages within a given datacenter correlated? Are there some numbers we can look at?

    I think if we were to combine this with something like Shamir's secret sharing, we'd be in quite a good spot. But, it is quite a bit to implement. Do you have examples to which you could link of folks who have encountered a similar set of requirements?

1

Hello,

AWS Nitro Enclaves don't support traditional snapshots or backups due to their security design. To meet your crash-resistance and key accessibility requirements:

Redundant Enclaves: Deploy multiple enclaves across different availability zones for fault tolerance. Use Shamir's Secret Sharing for added security.

External Key Storage: Consider using AWS CloudHSM for secure key storage, as it keeps keys out of IAM role governance.

check this document https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html

profile picture
EXPERT
answered a month ago
  • That's the top-level documentation for Nitro Enclaves. Do you intend to link something more specific?

    The issue with CloudHSM is that it doesn't support our signing standards and furthermore, whoever is allowed to use an HSM key is still governed by IAM roles. So, you end up back where you started, as far as we can work out.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions