Confidential Computing
Caution
This feature is a technical preview for evaluation in non-production environments. A technical preview introduces new, limited functionality for customer feedback as we work on the feature. Details and functionality are subject to change. This includes API endpoints, UI elements, and CLI commands. We cannot guarantee that data created as part of a technical preview will be retained after the feature is finalized.
Confidential Computing is a cloud computing technology that can isolate and protect data on Confidential Virtual Machines (CVMs) or Trusted Domains (TDs) to protect them from a broad range of software attacks. Confidential computing ensures that all data operations are executed within a Trusted Execution Environment.
Confidential Computing provisioning requires an attestation authority, such as Intel Trust Authority, to attest the CVMs or TDs and create a Trusted Execution Environment around them.
CTE UserSpace makes Confidential Computing provisioning seamless, without the need to install or configure any additional tools on CTE-U clients. CTE-U together with CipherTrust Manager takes care of the attestation process to provision confidential computing on VMs running on CTE-U agents. If attestation fails, any access to the encrypted data guarded by CTE-U is prohibited.
Requirements & Specifications
| Category | Description |
|---|---|
| Attestation Authority | Currently, only Intel Trusted Authority (ITA) is supported. |
| Agent Requirements |
Note Support available for Azure VMs supporting Intel TDX (Trust Domain Extension) — Intel CPU instruction set architecture extension that supports the management of Trust Domains. |
| CTE-U Version | 10.4.0 and above |
Prerequisite
- Enable Confidential Computing: Ensure Confidential Computing is enabled for the client to register it with the CipherTrust Manager. Refer to CTE UserSpace Quick Start Guide.
Activate Confidential Computing on CTE-U Clients
To activate confidential computing on a CTE-U client, complete the following steps:
Create Attestation Authority connections in the CipherTrust Manager.
Note
To provision Confidential Computing on CTE-U clients, you require one admin connection (connection with administrator privileges) and one non-admin connection (connection without administrator privileges). The admin connection is necessary to retrieve the policies from the Attestation Authority, while the details of the non-admin connection are shared with the CTE agents.
Log on to CipherTrust Manager.
Go to Access Management > Connections.
Select + Add Connection.
In the Select Connection Type section, select More and then select Attestation Authority from the Select Connection dropdown.
Click Next.
In the General Info section, enter the Name and Description for the connection.
Click Next.
In Configure Connection section, enter the following details:
Field Name Description URL Provide the URL for connecting to the Attestation Authority. Base URL Provide base URL for the Attestation Authority. API Key Provide the allocated API key to establish connection with Attestation Authority. Meta Provide meta information in the JSON format. Select the Admin User checkbox to create a connection with administrator privileges. By default, a connection without administrator privileges will be created.
Click Next.
In Add Products section, select the CTE checkbox.
Click Add Connection.
To edit or delete the created connection, see Attestation Authority Connection.
Create a Client Profile associated with above connection.
In CipherTrust Manager, click Access Management > Add Client Profile.
Enter Profile Name and Description.
Select CA Type: Local or External.
Select the respective Local or External CA in Select <Local or External> CA.
Enter the Certificate Duration for which the CA certificate will remain active.
Expand the CONFIDENTIAL COMPUTING section and add the following details:
Select Attestation Authority Identifier. Currently, only Intel Trust Authority (ITA) is supported.
Select the Attestation Type. This is the technology that Attestation Authority uses to attest VMs on CTE agent.
Select a non-admin connection in the Attestation Connection field.
Select an admin connection in the Admin Connection field. By default, this field remains blank. Selecting a value in this field allows you to select policies in the Policy Names field.
Note
Admin and non-admin type connections should belong to the same Attestation Authority.
Select the policies in the Policy Names field. These policies are fetched from the Attestation Authority server. You can select multiple policies.
Keep the default values for the remaining fields.
(Optional) Click Reset confidential computing form to reset all the fields to the default values and input the information again.
Click Add Client Profile.
To update or delete the created client profile, see Managing Client Profiles.
Create a registration token associated to the above Client Profile. Retain this registration token.
Use the registration token during installation and registration of CTE UserSpace Agent.
