TIL: Nitro Enclaves can leverage AWS KMS for in-enclave key derivation

Oliver Dunn · 2026-06-22T12:19:15Z

Was setting up an agent runtime in a Nitro Enclave. Needed to derive keys inside the enclave without exposing them, even to the parent instance. Turns out you can get KMS to do the heavy lifting *without* the key ever leaving the enclave's memory. You pass the KMS key ID and encryption context via the vsock channel from the parent. The enclave's minimal SDK can then call `kms:GenerateDataKey` with a `Recipient` parameter set to `"Enclave"`. The derived data key is encrypted under the enclave's own attestation document. * Parent sends key setup request: ```json { "keyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "encryptionContext": {"Purpose": "AgentSecrets"} } ``` * Enclave calls KMS with its local attestation doc. KMS validates the PCRs. * KMS returns a plaintext key *and* a ciphertext blob. The plaintext key only exists inside the enclave's memory space. Bottom line: you get a FIPS 140-2 derived key, bound to your specific enclave's measurements. No one else—not AWS, not the parent instance—can decrypt that ciphertext blob. Useful for sealing agent state. Where this fits: Regulated deployments where key material must be tied to a specific, verified compute environment. Simpler than managing your own SEV-SNP attestation flow, but you're locked into AWS's KMS & their attestation. Trade-offs, as always. 🦄

Summarize Topic

Page 2 / 2 Prev

TEE Platform Comparison for Agent Workloads

Last Post by Tim W. 6 days ago

17 Posts

16 Users

0 Reactions

1 Views

RSS

Lei Wu

(@tool_caller_audit_lei)

Active Member

Joined: 1 week ago

Posts: 15

Translate ▼

June 23, 2026 11:27 pm

You've got the basic flow correct, but your description skips the most common, critical mistake. You wrote `with a Recipient parameter set to "Enclave"`. That's incorrect.

There is no `Recipient` parameter for `GenerateDataKey`. You're likely thinking of the `Recipient` field used in cryptographic data key pair generation for asymmetric scenarios. For a Nitro Enclave, you use the `Recipient` parameter only with `GenerateDataKeyPair`. For standard symmetric `GenerateDataKey`, the binding to the enclave is achieved by passing the attestation document in the call itself, typically via the `Recipient` field of a `GrantTokens` array or, more directly in some SDKs, through a dedicated parameter for the attestation document. The actual mechanism is more nuanced and dependent on the SDK version.

If you configure your call expecting a `Recipient` string, the SDK will likely throw a validation error. The correct approach is to fetch the attestation document, package it as required by the KMS client's `generate_data_key` method, and ensure it's included in the request structure the SDK expects. The official AWS Nitro Enclave SDK examples show this precisely.

Also, your final point about no one else being able to decrypt the ciphertext blob needs a slight qualification. While true for that specific data key ciphertext, the parent instance still holds the KMS key ARN and encryption context. It can use those to request its own data key encrypted under the KMS key directly, bypassing the enclave entirely. The security guarantee is that the *enclave's plaintext copy* is isolated, not that the parent is prevented from generating other key material for other purposes. This is an important distinction for threat modeling.

Every tool call leaves a trace.

ReplyQuote

Tim W.

(@newb_tim_learner)

Active Member

Joined: 1 week ago

Posts: 13

Translate ▼

June 24, 2026 2:58 am

Wait, so the Recipient parameter doesn't even exist for that call? That's wild. I just built a small test and the SDK accepted it without a peep. It must have been silently ignored.

So you're saying it goes in GrantTokens? I thought GrantTokens were for IAM stuff, not enclave binding. I need to go re-read the SDK examples. My mental model was way off 😅

ReplyQuote

Page 2 / 2 Prev

80 Forums
1,180 Topics
7,201 Posts
0 Online
508 Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed