Data persistence with intel SGX on azure

Bruno Neves 20 Reputation points
2023-07-14T12:10:10.6533333+00:00

We are developing a product build on top of Intel SGX hosted on Azure, we are facing some challenges when it comes to data persistence. We have two requirements:

  1. The ability to store a persistent secret key, between restarts
  2. The ability to share this key with other enclaves (provided these are signed by the same entity, aka Applied Blockchain), we'll refer to this as forward key sharing.

Our infrastructure is deployed and managed on kubernetes on Azure and as such the concern over network destruction poses a great concern. We've implemented in-house solution to the persistence problem, wherein all enclaves can provision each other assuming they have the same MRENCLAVE, removing the single point of failure. Forward key sharing is harder to achieve due to microcode updates that prevent the enclave from "recognizing" a newer enclave. Before we dive deeper. We would like to know if Azure has any solutions for Persisting data between microcode updates to Intel TEEs.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
8,367 questions
{count} votes

2 answers

Sort by: Most helpful
  1. deherman-MSFT 37,851 Reputation points Microsoft Employee
    2023-07-19T21:45:34.52+00:00

    @Bruno Neves

    I spoked to our service team and received this response. Intel(R) SGX Technology does support preserving SGX sealed data across microcode update and enclave restart if the SGX enclave is restarted on the exact same SGX CPU. But in a cloud environment such as Azure, the SGX enclave cannot be guaranteed to restart on the same CPU during the microcode update rollout process that requires system reboot. Azure does not provide native solution to preserve SGX enclave data across microcode update. 

    Hope this helps. Happy to answer any follow-up questions you may have.


    If you still have questions, please let us know in the "comments" and we would be happy to help you. Comment is the fastest way of notifying the experts.

    If the answer has been helpful, we appreciate hearing from you and would love to help others who may have the same question. Accepting answers helps increase visibility of this question for other members of the Microsoft Q&A community.

    Thank you for helping to improve Microsoft Q&A!

    User's image

    0 comments No comments

  2. Bruno Neves 20 Reputation points
    2023-07-21T12:37:51.9333333+00:00

    @deherman-MSFT Thank you for your response very clear. Is there a recommended solution we could implement to persist data with SGX in the cloud? We have some ideas internally but would like to understand if there is a standard approach.

    Thanks

    Bruno Neves

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.