Key persistence and sharing in IntelSGX

nolasco_napoleao · ‎07-14-2023

We are developing a product build on top of Intel SGX hosted on Azure, we are facing some challenges when it comes to data persistence. We have two requirements:

The ability to store a persistent secret key, between restarts
The ability to share this key with other enclaves (provided these are signed by the same entity, aka Applied Blockchain), we'll refer to this as forward key sharing.

Our infrastructure is deployed and managed on kubernetes on Azure and as such the concern over network destruction poses a great concern. We've implemented in-house solution to the persistence problem, wherein all enclaves can provision each other assuming they have the same MRENCLAVE, removing the single point of failure. Forward key sharing is harder to achieve due to microcode updates that prevent the enclave from "recognizing" a newer enclave. Before we dive deeper. We would like to know if Azure has any solutions for Persisting data between microcode updates to Intel TEEs.

Zulkifli_Intel · ‎07-14-2023

Hi Nolasco_napoleao,

Thank you for reaching out to Intel Customer Support.

I'm checking this out and will get back to you soon.

Regards,

Zulkifli

Zulkifli_Intel · ‎07-26-2023

Hi Nolasco_napoleao,

Sorry for the delay in reply. You don't need to worry about sealing and microcode updates in Azure, Microsoft ensures that key blobs from past TCB levels are saved before and restored after a microcode update (aka TCB-Recovery), so anything sealed before the upgrade will be able to be unsealed after.

Please contact Azure support for further help on using Intel® SGX on Azure.

Sincerely,

Zulkifli

Zulkifli_Intel · ‎08-04-2023

This thread will no longer be monitored since we have provided a solution. If you need any additional information from Intel, please submit a new question.