Secrets management

You access your secrets by using the attestation document. This process ensures that the code can be verified by a server and have access to sensitive data.

The first step is to create an attestation document.

from verifiably import NSM

nsm_dev = NSM()
attestation_doc = nsm_dev.get_attestation_doc(public_key=nsm_dev._public_key)

We create an NSM object which establishes communication with the NSM driver in the enclave. Then we generate an attestation document with the public key generated by the NSM object. This public key by a server to encrypt their data. In this case, the enclave signs the attestation document that contains the public key.

A server can use the attestation document to verify the code requesting the data. If the verification is successful, the server permits access to sensitive data. In this case, we are asking the server for credentials.

# This call depends on which server are you calling and how is that call made
# but in all cases it should include the attestation document as the server
# only will give access to the data if it can verify you

server_response = credential_server.get_credentials(attestation_doc)
if(server_response.status == False):
    raise Exception("Not verified by server")

Now you use the private key of the NSM object to decrypt the credentials and use them for the process you need.

# Decrypt the data sent by the server
credentials = nsm_dev.decrypt(server_response.credentials)