SVSM-KMS: Safeguarding Keys for Cloud Services with Encrypted Virtualization

EasyChair Preprint 13813

Abstract

In recent years, numerous instances of data breaches have emerged due to the inadvertent or intentional disclosure of cryptographic keys. To address this issue, this paper proposes SVSM-KMS, which utilizes AMD's latest Encrypted Virtualization technology (AMD SEV-SNP) to deliver an efficient and seamless integrated secure key management service. We realized multilayered defense by integrating our mechanism within a privileged layer of a confidential virtual machine (CVM), thereby minimizing the trusted computing base (TCB) to prevent key leakage from compromised CVMs. Notably, we have incorporated a zero-copy mechanism between the most privileged service module and the least privileged user applications, eliminating redundant data copies. To facilitate seamless integration, we propose a proxy server for existing cloud services. A prototype of SVSM-KMS has been developed based on the latest AMD SEV-SNP hardware platform. Evaluation results indicate that the performance of the Encrypted Virtualization-enabled SVSM-KMS is on par with Hadoop KMS, highlighting the practical aspect of our system.

Keyphrases: Confidential Computing, Encrypted Virtualization, Key Management Systems, Secure Virtual-Machine Service Module, Trusted Execution Environment

@booklet{EasyChair:13813,
  author    = {Benshan Mei and Wenhao Wang and Dongdai Lin},
  title     = {SVSM-KMS: Safeguarding Keys for Cloud Services with Encrypted Virtualization},
  howpublished = {EasyChair Preprint 13813},
  year      = {EasyChair, 2024}}