Asylo is the new watchman for your data!

Data security is probably the top most concern for most of the organizations worldwide and having the knowledge of Asylo can be the solution for this concern. Asylo is a Greek word for ‘Safe Place’. This is an open-source framework designed for confidential computing. Qwiklabs has brought to you a brand new quest Asylo — Practical Confidential Computing with Enclaves which provides you hands on experience on Asylo.

Let us look at one of the most interesting and useful labs in this Quest Using Asylo to Protect Secret Data from an Attacker with Root Privileges. In this lab you will be building a simple example enclave and work on encrypting the data. Here is what all you will be doing in this lab

Here’s a heads up before we deep dive into this lab — You will have to go through a lot of theory before you actually get hands on in this lab. This lab gives you a detailed overview of the various concepts and features of Asylo. We will also look at some of these concepts in brief.

What is enclave?

The final step of this lab is encrypting a message using an enclave application. In order to get to the last step you need to first understand what is an enclave. Let us do that in brief.

Enclaves are emerging technologies which will help in keeping data safe from attackers with root privileges.

The above diagram is just a gist. You can learn more about enclaves in depth in the lab. You’ll find some really interesting references there, which you can go through to know more in depth about and around this topic.

What is Asylo?

Create a VM instance

The first task of this lab is very basic. You have to create a VM instance with Machine Type Customize with 6 Cores. Leave the remaining settings at their default and create the VM instance. It will take some time for the VM to get created.

Build Environment in Docker

In this section, you will be running some codes in order to build the environment in docker. In the first command, you will be fetching the Docker file from SSL using the curl command and running the docker file using the sudo command.

When you are running the third command you will get a warning as below

You can ignore the warning and move ahead with your lab. Once you grab the Docker container, you will run a command to enclave in simulation mode. Running this command will take around 5 to 10 minutes which is a good time to read through the rest of the lab.

Overall Approach

In this section, you will get the gist of what you will be doing in this lab. This section also gives an insight into Trusted Applications and Untrusted Applications. You can give this section a quick read in order to understand these concepts.

Enclave interaction model

In Asylo, enclaves operate on protocol-buffer messages; all enclave inputs and outputs are protocol buffers. Here is a diagram to explain how the enclave interaction model works.

Enclave lifecycle

Entering an enclave is analogous to making a system call. A gateway to protected code with access to the enclave’s resources represents the enclave entry point. This lab gives a code of three entry points which are a part of the enclave lifecycle.

Each part of the enclave has been explained in detail in the lab. You can go through the same to get a fair idea about how the enclaves work.

Writing an enclave application

Till now we were working on the untrusted side, now it is time to work on the code on the trusted side. This lab gives us a snippet which defines a class EnclaveDemo, which is derived from TrustedApplication, and implements the enclave’s secure execution logic in its Run method. This method encrypts the input message and prints the resulting ciphertext.

Building and running an enclave application

In this last section, you will learn how to build and run an enclave application by analyzing the bazel BUILD file given in the Lab. This process is explained in detail for your understanding. Going through this final section is pretty important as it will fulfill the objective of this lab.

Now that you have gone through the last section your data is safe from attackers. We hope you got something to take away from this informative lab. Grab some credits to complete this lab here. Enter the code 1q-asylo-516 and get started with your quest!