Key Management System

Users permission the Credora system for access to encrypted data by providing venue credentials directly to Credora’s secure Key Management System (KMS). The Credora KMS leverages an Hashicorp Vault wrapped inside Gramine-SGX. Ciphered read-only API keys are submitted to the enclave over an SGX-terminated, secure TLS channel. Decryption happens only within the hardware isolated region of the enclave memory, using TLS certificates that are exclusively accessible to the TEE. Upon termination, the API keys are re-encrypted using the SGX hardware seal key, and stored for persistence in an Intel Protected Filesystem database. As a result, only the enclave can decrypt and read sensitive user data. The KMS only exposes interfaces to receive API keys from clients and provide them to internal enclave calculation units where private computations run. All interfaces utilize attested, secure SGX-terminated TLS channels.

The Credora KMS-Vault solution produces the following features:

1. Secret Management: Generate, manage, and securely store secrets. It can handle a wide range of secret types, including API keys, passwords, and certificates.

2. Dynamic Secrets: Generate secrets on-demand for specific timespans. This means secrets can be automatically revoked after a set period, enhancing security.

3. HW-Sealed Secret Storage: At its core, the KMS-Vault uses the SGX protected file system to store data.

4. Identity-Based Access: It uses multiple authentication methods to verify the identity of clients before granting access to secrets.