Issue with Wrap Key Not Being Recognized in Encrypted Mount

[n7koirala]

Hello,

I am attempting to perform a set intersection in Gramine (on Intel SGX) between a receiver query file and multiple sender database files. Both the receiver query file and the sender datasets consist of plain-text (.txt) files containing 32-bit integers. Following the recommended approach, I generated a wrapped key via gramine-sgx-pf-crypt gen-key and used that same key to encrypt both the query file and the backend dataset files.

However, when I run the application, Gramine appears unable to load the wrapped key from my manifest configuration. As a result, the program fails to open the encrypted receiver file. Below is the relevant debug output and error:

(libos_fs_encrypted.c:206:encrypted_file_internal_open) [P1:T1:ReceiverSender] warning: key 'wrap_key' is not set Error opening receiver file: /enc_receiver_query/receiver_set.txt

Any guidance on resolving this key recognition issue would be greatly appreciated. Thank you in advance.

[monavij]

Can you share how you are specifying wrapped key in your manifest? Are you using fs.insecure__keys.[KEY_NAME] ? Also look at pytorch tutorial for securely provisioning the key after remote attestation.

[n7koirala]

Thank you for the reply. I am declaring the wrapped key in the fs.mounts in the manifest file:
fs.mounts = [ { type = "encrypted", path = "/enc_receiver_query", uri = "file:enc_receiver_query", key_name = "wrap_key" }, { type = "encrypted", path = "/enc_sender_db", uri = "file:enc_sender_db", key_name = "wrap_key" } ]

The wrap_key is generated inside the root folder. I tried using the fs.insecure__keys.[KEY_NAME] to point it to the encryption key, but it only takes in HEX values, and I was not able to generate the HEX values from the wrapped key. I am confused about how to make Gramine look for the generated wrapped key that I used to encrypt the data.

I looked into the pytorch tutorial that you mentioned. However, I am not able to set up remote attestation on my machine. Is remote attestation required to use the encrypted feature in Gramine? Would it be possible to hard-code the encryption keys only for developmental purposes?

[mkow]

If you want this to be a real setup, then you need to provision the key to the enclave from a trusted server, after a successful attestation of the enclave. Otherwise you'll just ship the decryption key together with the encrypted data, which makes the encryption useless.

fs.insecure__keys.[KEY_NAME] takes the key inline in the manifest and is viable only for testing, it effectively strips the whole protection from the files.

See https://gramine.readthedocs.io/en/stable/attestation.html.

[n7koirala]

Ah, I see! In my setup then, encryption of the backend datasets without using the attestation service would not be useful. Thanks for the clarification.

On another note, I am still not able to usefs.insecure__keys.[KEY_NAME] in the manifest for testing. wrap_key is located in the root folder. I am not able to set the wrap key, as it requires a HEX input.
This is my manifest file:

fs.mounts = [
  { type = "encrypted", path = "/enc_receiver_query",  uri  = "file:enc_receiver_query", key_name = "wrap_key" },
  { type = "encrypted", path = "/enc_sender_db",  uri  = "file:enc_sender_db", key_name = "wrap_key" },
  { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
  { path = "/ReceiverSender", uri = "file:build/ReceiverSender" },
  { path = "/usr/lib/x86_64-linux-gnu", uri = "file:/usr/lib/x86_64-linux-gnu" }
]

# Provide the wrap key file in the manifest
# For DEVELOPMENT ONLY:
fs.insecure__keys.wrap = "wrap_key"

[n7koirala]

@kailun-qin, I used this cmd to generate the wrap_key: gramine-sgx-pf-crypt gen-key --wrap-key wrap_key. I can see the HEX values in the wrap key using the cmd you mentioned. However, when I set the generated hex values in fs.insecure__keys.wrap , I still see the same error in debug mode : warning: key 'my_wrap_keyfile' is not set.

[kailun-qin]

However, when I set the generated hex values in fs.insecure__keys.wrap , I still see the same error in debug mode : warning: key 'my_wrap_keyfile' is not set.

Sorry, I didn't quite get it. What is the key_name you specified for the encrypted file? Is it wrap or my_wrap_keyfile?

[n7koirala]

The key_name I'm using is wrap_key. I was trying to use a different name called my_wrap_keyfile to check if I could see any different kind of error.

[kailun-qin]

The key_name I'm using is wrap_key.

Thanks. Then I think you should specify sth. like:

fs.mounts = [
  { type = "encrypted", path = ...,  uri  = ..., key_name = "wrap_key" },
  ...
]

-fs.insecure__keys.wrap = "[32-character hex value]"
+fs.insecure__keys.wrap_key = "[32-character hex value]"

Did ^ still generate the same "key not set" error for you?

[n7koirala]

Sorry for the late reply. That actually solved my issue, and the files are being decrypted correctly inside the enclave now. Thank you!