Skip to content

Making confidential compute docker, docker swarm and kubernetes management simple

License

Notifications You must be signed in to change notification settings

enclaive/portainerCC

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Portainer.cc - Building and Deploying Runtime Encrypted Workloads leveraging Confidential Compute

Table of Contents

About The Project

In view of the ever increasing shift of applications to the cloud, new mechanisms need to be developed to protect the workload. In contrast to on-prem, physical resources are no more isolated in the cloud. Rather virtual machines, kubernetes clusters and serverless functions, share physical resources. Moreover, the resources are maintained by a third party known as the cloud provider who has root access to the resources. For decades it is well known that the application isolation provided by hypervisors and operating systems is weak. A vast amount of exploits have been demonstrated how to escapte the present security and trust model.

Confidential Computing, for short CC, is a new, promising technology addressing the problem. CC makes it for the very first time practically possible to encrypt data during runtime in such a way that only the CPU has access to it. This makes it possible to protect application code and data in the light of vertical and horizontal exploits.

Portainer.cc is a project extending the promiment community tool Portainer.io with confidential computing capabilities. to make it easy to run application-containers confidentially in the cloud. PortainerCC builds upon Gramine OS and Marblerun to run and remotely attest containerized Gramine-applications.

Features (v.0.1.0-beta)

Portainer.cc offers these features:

  • Build and deploy any application in an Intel SGX enclave supporting Gramine libOS Gramine
  • Key managmement for container authentication and file/volume encryption
  • Authenticated container provisioning of secrets, environment variables, files and keys supporting Marblerun
  • Example template to build, deploy and securely provision MariaDB

Getting Started

Prerequisites

For Portainer.cc to work, you need to make sure that all environments you want to use are Intel SGX compatible and can use Intel SGX Datacenter Attestation Primitives for Remote Attestation and meet these requirements:

Install Portainer.cc

To install Portainer.cc, run the following command:

docker run -d -p 8000:8000 -p 9500:9500 -p 9443:9443 \
-v /var/run/docker.sock:/var/run/docker.sock:z \
-v /var/run/docker.sock:/var/run/alternative.sock:z \
-v /tmp:/tmp \
-v pccdata:/data \
--name portainerCC \
marcely0/pcc

The Portainer.cc Image comes with some predefined confidential templates. You can mount your own templates with the following parameter when you start your Container:

-v ./temps.json:/confidential-templates.json 

How-Tos

You can check out some of the How-Tos:

Step by Step guide to set up PortainerCC with an PortainerCC Agent

Create a confidential Application for Portainer.cc

Remote Attestation and Secret Provisioning

Deprecated - Step by Step guide to run MariaDB in PortainerCC

Licence

Distributed under the zlib licence. See LICENCE for reference.