km-store

kmStore provides implementation for KeyManager interface. It requires running host with appHSM server from KMRA project: https://01.org/key-management-reference-application-kmra The server provides REST API management interface secured with mutual TLS. The secure connection requires CA and SSL certificates to be available for kmStore.

The client certificate and key can be obtained from host running appHSM service. By default, they are located in /opt/intel/ca directory. They can be copied using ssh access (e.g. scp). Please ask host admin for access or KMRA team to provide the files.

Copy the key and certificate to the host with sgx attestation controller. The below target location of files is an example.

kmra_host:/opt/intel/ca/ctk_loadkey.key -> /ca/ctk_loadkey.key kmra_host:/opt/intel/ca/ctk_loadkey.crt -> /ca/ctk_loadkey.crt kmra_host:/opt/intel/ca/ca.crt -> /ca/ca.crt

Use the correct data to create and configure kmStore instance.

config := &kmstore.Config{ ClientCert: "/ca/ctk_loadkey.crt", ClientKey: "/ca/ctk_loadkey.key", CaCert: "/ca/ca.crt", KMHost: "kmra_host:5000", } kmra := kmstore.NewKmStore(config)

NOTE: The minimum required version of appHSM REST API is 0.2. It is verified during initialization of kmStore instance.