Timeline for Can we prevent EC2 instance from accessing the plain text data when using the AWS Nitro Enclave for encryption?
Current License: CC BY-SA 4.0
6 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Dec 22, 2021 at 20:25 | comment | added | zakzak | Excellent point. What I meant is that I need to get the data from the client and get it encrypted using an encrypted key generated within the Enclave, and then send the encrypted data to the backend. The idea is that nobody (even the admin or the root of the parent instance) should be able to see the data in plain text. I know that this is possible because EverVault is doing that but not sure how this is possible. Thank you again for your help and appreciate your feedback on this. | |
| Dec 22, 2021 at 18:54 | comment | added | gusto2 |
@zakzak depends... You said you want to process and encrypt data in the enclave instance. In that case data going to the "client app" are encrypted, anonymized or tokenized. The enclave instance adds security, but as well complexity and price. Define you thread model and be aware of risk. E. g. do you really need the enclave? Where do you store/manage the ssl private key? Is the complexity worth the risk? (maybe yes) and access the plaintext it's not so easy, one needs to be root to tcpdump the traffic. so there are other options to secure an instance
|
|
| Dec 22, 2021 at 16:50 | comment | added | zakzak | Question please .. Anyone who has access to the EC2 parent instance, will be able to see the data coming from the client side in plain text, because this is where the TLS connection terminates, correct? | |
| Dec 22, 2021 at 16:46 | vote | accept | zakzak | ||
| Dec 22, 2021 at 16:46 | comment | added | zakzak | Excellent .. Many thanks @gusto2. I'll go through this documentation. | |
| Dec 22, 2021 at 13:37 | history | answered | gusto2 | CC BY-SA 4.0 |