• this repo contains demo of use Amazon Nitro Enclave and Amazon KMS which implement the crypto wallet on AWS Cloud
• this repo contains sample code for golang, python, and rust. You can find them in nitro-golang-example, nitro-python-example, and nitro-rust-example respectively.
• this repo supports to deploy on Nitro Enclave on EKS, you can follow the steps in README.md file in each sub-folder

this demo code implement two use case, generateAccount and signature

• generateAccount API generates wallet in Nitro Enclave and uses KMS to encrypt it with envelope encryption.

• below is the process of the workflow

• signature API signs a transaction with the private key of the wallet

• below is the process of the signature

when you try to run the Nitro Enclave application, you should configure below things

• Region : you need choose a region where you deploy your application, and you need set ENV in Dockerfile

ENV REGION ap-northeast-1

• KMS : you need create a Symmetric kms key, which used for Encrypt and decrypt, you need copy the kms id. In this demo, it is hardcode in the appClient code
• IAM Role : IAM Role should assign the policy to allow call KMS encrypt,generateDataKey. In this demo, we attach the role on EC2
• vsock-proxy : before you start the enclave application, you should start the vsock-proxy for kms. below command with run the proxy on parent instance which will forward request on port 8000 to endpoint kms.ap-southeast-1.amazonaws.com on port 443. you should run it before run enclave

vsock-proxy 8000 kms.ap-northeast-1.amazonaws.com 443 &

• cid : vsock connection use CID not address. when the vsock-proxy start, CID 3 is default parent CID, according to this doc