Nitro Enclave Overview

Containment Chamber can run inside an AWS Nitro Enclave — an isolated compute environment with hardware-enforced memory encryption. When running in enclave mode, validator BLS private keys only exist decrypted inside the enclave’s protected memory. Even a fully compromised EC2 instance cannot access them.

Security Model

The enclave security model rests on three pillars:

1. Memory isolation — The Nitro hypervisor encrypts enclave memory with a key that never leaves the hardware. The parent EC2 instance, AWS operators, and anyone with physical access to the machine cannot read enclave memory.

2. Attestation — The Nitro Security Module (NSM) produces signed attestation documents proving: “This enclave is running this exact binary, with these PCR measurements.” KMS validates these documents before releasing key material.

3. Reproducible builds — Anyone can rebuild the enclave binary from source and verify the PCR0 hash matches the published release. This makes the attestation independently verifiable.

Architecture

What the Enclave Protects

Threat	Without Enclave	With Enclave
Compromised EC2 instance	❌ Attacker reads key material from memory	✅ Enclave memory is hardware-encrypted
Compromised KMS credentials	❌ Attacker calls KMS directly	✅ KMS requires valid NSM attestation
Malicious enclave binary	❌ No verification	✅ PCR0 hash must match expected value
Compromised signing certificate	❌ Attacker signs malicious binary	✅ PCR0 still blocks wrong binary

The Unverifiable Link

Caution

Every cloud TEE has an unverifiable link. For Nitro Enclaves, it is the NSM firmware and the EIF measurement pipeline — both are proprietary and closed-source. You trust AWS to correctly measure your enclave and generate honest attestation documents.

This is inherent to all cloud TEEs. No platform provides full source-to-measurement verifiability.

PCR Values

Nitro Enclaves use Platform Configuration Registers (PCRs) to record measurements:

PCR	What It Measures	Changes When
PCR0	Hash of the entire EIF binary	Every rebuild
PCR8	Hash of the signing certificate	Signing key rotation
PCR3	Hash of the parent IAM role ARN	IAM role changes

Production deployments should enforce both PCR8 and PCR0. PCR8 alone is insufficient — if the signing key is compromised, an attacker can sign a malicious binary that passes PCR8. PCR0 prevents this because it pins to the exact binary hash.

With reproducible builds, each key holder can independently verify PCR0 by rebuilding from source.

Next Steps

• AWS Setup — KMS key policies, signing certificates, IAM
• Deployment — Helm chart, K8s prerequisites
• Operations — PCR rotation, troubleshooting