Comment on page
Protect the result
In previous tutorials, we saw how to build Confidential Computing applications that run securely inside enclaves and combine them with confidential assets to get the most out of confidential computing advantages. In this chapter, we will push things further to protect the workflow in an end to end mode. That means the next step would be encrypting results.
Prerequisites:
You don't need to change your application's code or redeploy it to add this feature.
Assuming your application is deployed (if not please check how to do it with Scone or with Gramine), before triggering an execution you need to generate an RSA key-pair, then push the public key to the Secret Management Service. The latter, in turn, will provide it, at runtime, to the enclave running your Confidential Computing application.
To generate the key-pair, go to
~/iexec-projects
and use the following SDK command:Depending on the TEE framework you are using, make sure your
chain.json
content is correct:iexec result generate-encryption-keypair
This generates two files in
.secrets/beneficiary/
. Make sure to back up the private key in the file <0x-your-wallet-address>_key
..secrets
├── beneficiary
│ ├── <0x-you-wallet-address>_key
│ └── <0x-you-wallet-address>_key.pub
...
Now, push the public key to the SMS:
Scone
Gramine
iexec result push-encryption-key --tee-framework scone
iexec result push-encryption-key --tee-framework gramine
And check it using:
Scone
Gramine
iexec result check-encryption-key --tee-framework scone
iexec result check-encryption-key --tee-framework gramine
Now to see that in action, you'd need to trigger a task and specify yourself as the beneficiary in the command:
Scone
Gramine
iexec app run <0x-your-app-address> \
--workerpool debug-v8-bellecour.main.pools.iexec.eth \
--tag tee,scone \
--encrypt-result \
--watch
iexec app run <0x-your-app-address> \
--workerpool debug-v8-bellecour.main.pools.iexec.eth \
--tag tee,gramine \
--encrypt-result \
--watch
Wait for the task to be
COMPLETED
and download the result:iexec task show <0x-your-task-id> --download
If you extract the obtained zip and try to read the content of the file
iexec_out/result.zip.aes
you will find it encrypted:mkdir /tmp/trash && \
unzip <0x-your-task-id>.zip -d /tmp/trash && \
cat /tmp/trash/iexec_out/result.zip.aes
iexec:out/result.zip
)3�Xq��Yv��ȿzE�fRu<\