Anjuna Enterprise Enclaves for Azure confidential computing
Anjuna Enterprise Enclaves makes it quick and simple to protect cloud data and IP with Microsoft’s Azure confidential computing.
Azure confidential computing leverages Intel® Software Guard Extensions (SGX)-enabled CPUs to establish secure enclaves that protect the confidentiality and integrity of data and applications while being processed in the public cloud. Within seconds, Anjuna Enterprise Enclaves can automatically establish a secure enclave that isolates and encrypts all application resources in runtime, at rest, and on the network.
The result is the strongest full stack protection available. Anjuna’s “lift and shift” approach eliminates the need to work with ever-changing applications and software development kits (SDKs). And no changes to applications, recompilation, or operations are required.
This document walks you through the process of deploying a Redis server in a secure Anjuna enclave using Microsoft’s Azure Kubernetes Services.
Before We Get Started
In order to run Anjuna’s secure runtime, you first need to set up Azure Kubernetes Services with support for Confidential Computing. To set up a cluster with the necessary support, follow the instructions in Microsoft’s guide to setting up confidential computing nodes.
When you reach the section titled "Adding confidential computing node to existing AKS cluster," return to this document to continue.
1. Register an Access Token
In order for your Kubernetes cluster to pull Anjuna Docker images, you’ll need an access token for Anjuna’s Azure Container Registry. You can get your token by contacting Anjuna at by submitting this form:
2. Set Up the Azure Command-line Interface
The command-line interface to Azure is called
az. You can find Microsoft’s instructions for installing
az at the Azure documentation site. Follow the instructions there to set it up before continuing with the next step.
3. Securely Store Your Token
To store your access token as a Kubernetes secret, execute the following command in the shell:
kubectl create secret docker-registry anjuna-acr-secret \
--docker-server anjunaaks.azurecr.io \
--docker-username [username provided by Anjuna] \
--docker-password [password provided by Anjuna]
If you’d prefer to pull the docker image to your local machine, you must first authenticate your terminal session to Anjuna’s Azure Container Repository. Use the following shell command to do that:
docker login \
--username [username provided by Anjuna] \
--password [password provided by Anjuna] \
4. Deploy Redis Running in the Anjuna Runtime Container
Now that you’ve deployed a Kubernetes cluster and configured an access token, you can deploy Anjuna applications to the cluster. Create a file named "anjuna-redis.yaml" and populate it with the following text:
- name: anjuna-redis
- containerPort: 6379
- name: anjuna-acr-secret
- port: 6379
kubectl to deploy the Redis container to your cluster:
$ kubectl apply -f anjuna-redis.yaml
After a few seconds,
kubectl displays the following messages to let you know the deployment has succeeded:
5. Check the Deployment’s Status
Now you can use
kubectl to check the containers logs. You should see something similar to this:
$ kubectl logs -l app=anjuna-redis --tail=50
[ 1] Anjuna Runtime version heads/master-0-g51583366, Copyright (C) Anjuna Security, Inc. All rights reserved.
[ 1] Enclave initialized:
[ 1] Enclave base address: 0x0000000800000000
[ 1] Enclave size: 1GB
[ 1] Maximum number of threads: 20
[ 1] Enclave attributes: 0x0000000000000004
[ 1] Enclave SSA frame size: 1
[ 1] Enclave MRSIGNER: 32982de78e16455960c4b3df570b9c
[ 1] Enclave MRENCLAVE: a9817bdbcd2aa53290f2925bfd1674
1:C 17 Sep 2020 19:03:12.723 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
1:C 17 Sep 2020 19:03:12.723 # Redis version=6.0.8, bits=64, commit=00000000, modified=0, pid=1, just started
1:C 17 Sep 2020 19:03:12.723 # Configuration loaded
1:M 17 Sep 2020 19:03:12.723 * Running mode=standalone, port=6379.
1:M 17 Sep 2020 19:03:12.723 # Server initialized
1:M 17 Sep 2020 19:03:12.723 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create
latency and memory usage issues with Redis. To fix this issue run the command 'echo madvise > /sys/kernel/mm/transparent_
hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be
restarted after THP is disabled (set to 'madvise' or 'never').
1:M 17 Sep 2020 19:03:12.815 * Ready to accept connections
Some of the details may differ from the example here.
6. Start a Redis Client Job
Next, let’s create a client process to store and fetch data in the new Redis instance. Notice that we deployed Redis with kind:
Deployment. A Deployment is a service that is meant to run continuously.
Our client will instead be a simple batch program that just sets a key in Redis and then gets it, and it’s done. The kind: for a process like that, which runs once to completion, is
Put this configuration text into a file named
- name: redis-client
args: ["-c", "redis-cli -h anjuna-redis set test_key FinestHomegrownSecrets && redis-cli -h anjuna-redis get test_key"]
Notice that this
Job is configured to run without the Anjuna runtime. In other words, the container is not configured to require the Anjuna runtime or SGX support. The client process will therefore run in an unprotected container, but it will communicate with a container protected by the Anjuna runtime.
Start the client using the following command:
$ kubectl apply -f redis-client.yaml
7. Review the Client's Logs
As before, you can display the job’s logs using
$ kubectl logs -l app=redis-client
The client has successfully stored the text "FinestHomegrownSecrets" in the Redis instance, then fetched it out again!
8. Clean Up Resources
After your client job is finished, you should tear down the cluster and release its resources. You can find instructions on how to do that in Microsoft’s guide to setting up confidential computing nodes, in the section titled "Clean up resources".
If you have any questions, contact our team for support.
See the power of protection for yourself.
Contact us to get started on an Azure confidential computing project.