Skip to content

Tool kit for building secure, scalable, and networked services on top of AWS Nitro Enclaves.

License

Notifications You must be signed in to change notification settings

bastionplatforms/nitriding

 
 

Repository files navigation

Nitriding logo

Nitriding is a Go tool kit (consisting of two services) that helps you run your application inside an AWS Nitro Enclave. Let's assume that you built a Web service in Rust. You can now use nitriding to move your Rust code into a Nitro Enclave, which provides two key security properties:

  1. At runtime, Nitro Enclaves are effectively a sealed black box. Nobody can observe your application's state at runtime: not you, not Amnesic Systems, and not even AWS. This makes it possible to process sensitive data without ever seeing the data.
  2. Optionally, using remote attestation, your users can verify (over the Internet) that you run the code you claim to run. This requires that your application is open source.

The diagram below illustrates how nitriding works. Gray components are provided by AWS, blue components are provided by nitriding, the yellow component is provided by you, and the brown component is your user – if you have users. Nitriding helps you run your application (which is bundled as a Docker image) inside a Nitro Enclave while abstracting away the pitfalls of working with enclaves. In particular:

  • Nitriding provides a tun interface inside the enclave, enabling seamless networking for your application. Your application can listen for incoming connections and establish outgoing connections without having to worry about tunneling network traffic over the enclave's VSOCK interface.

  • Nitriding's TCP proxy does not see your network traffic; it blindly forwards end-to-end encrypted packets. If your application speaks HTTPS, nitriding can act as a TLS-terminating HTTP reverse proxy. If your application speaks another protocol, you are responsible for the encryption layer.

  • Nitriding exposes an HTTPS endpoint for remote attestation, allowing your users to verify over the Internet that you run the code you claim to run. You don't have to worry about the nuances of remote attestation.

  • While nitriding is built in Go, it is application-agnostic: As long as you can bundle your application in a Docker image, you can run it using nitriding. You are free to use your favorite tech stack.

Nitriding architecture

More documentation

About

Tool kit for building secure, scalable, and networked services on top of AWS Nitro Enclaves.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 96.4%
  • Shell 1.4%
  • Makefile 1.2%
  • Other 1.0%