Send encrypted data
Cosmian generates the enclave’s identity asynchronously, you need to wait the end of the generation which takes approximately one minute. This is done after all the participants send their public keys and the code provider sent the Python code.
# send_data.py from pathlib import Path from cosmian_secure_computation_client import DataProviderAPI # load the previous CryptoContext created at the registration step dp_crypto_ctx = CryptoContext.from_json(Path("dp_crypto_ctx.json").read_text(encoding="utf-8")) data_provider = DataProviderAPI(token=cosmian_token, ctx=dp_crypto_ctx) computation_uuid = "xxxxxxxxxxxxxxxxxxxxxx" enclave_public_key: bytes = data_provider.wait_for_enclave_identity(computation_uuid)
The enclave’s identity can be checked from the following elements:
- Intel SGX quote generated by the enclave to attest the code is running in an Intel SGX enclave (can be checked with Azure remote attestation or Intel remote attestation service), it includes:
- MRENCLAVE, a SHA-256 digest of the whole program loaded in memory
- MRSIGNER, a SHA-256 digest of Cosmian’s RSA public key which signs the enclave
- Enclave’s public key (SHA-256 digest can be found in the report data field of the quote)
- TOML manifest with the hash of all the files loaded in the enclave, including:
- serialized trusted args of the code which contains a list of participant’s public keys
- hash digest of the entrypoint
Everything should be verified to trust that Cosmian is running the computation inside an Intel SGX enclave:
- Audit source code of
cosmian_lib_sgxto see how enclave’s public key is included in the SGX quote. We generate a random key pair whose seed is specific to MRENCLAVE (Seal Key with Intel SGX instruction EGETKEY based on MRENCLAVE). If the Python code or any participant’s key changes, MRENCLAVE will also be modified
- Re-compute MRSIGNER with Cosmian’s RSA public key
- And finally you can re-compute MRENCLAVE with the same docker used in the execution (will be available soon) thanks to manifest and the Python code of the code provider
Before sending your code to the enclave, you need to fetch back the keys generated during the first step. The page Registration explains how to save and load these keys.
Then, send your encrypted data specifying the different file paths. You can call this function multiple times to send more files, or send multiple files at once with a list, for example
[path1, path2, path3].
When you’re done, notify the server by calling
Finally, send your symmetric key sealed for the enclave’s public key: