Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Creating a Data Sealing Project

A data sealing project includes CAs and TAs and uses the TEE secure storage interface to store confidential data. It allows applications to encrypt sensitive data, such as keys, without the need to implement encryption solutions at the software layer. It can be a substitute for Key Management Center (KMC) and white-box cryptography (WBC).

Procedure

  1. Click in the shortcut menu bar on the left pane or click next to Development Assistant. The Kunpeng Application Projects page is displayed. See Figure 1.
    Figure 1 Kunpeng Application Projects
  2. Click Secure Computing Application. The Secure Computing Application page is displayed. See Figure 2.
    Figure 2 Secure Computing Application
  3. Click GlobalPlatform-Compliant TEE Application. On the left pane of the displayed page, select Data Sealing for Project Type and set other parameters as required.
    Figure 3 Creating a data sealing project
  4. Click Next to configure the target node. You can use an existing server or add a new server. To add a server, enter the IP address, SSH port, user name, password, and storage directory. If you select Configure later, no SDKs will be deployed by default. See Figure 4.
    Figure 4 Configuring the target node

    When configuring the new target node, ensure that the node is running on a physical machine and runs the openEuler 20.03 LTS SP1, UOS 20 SP1, CentOS 7.6, or Kylin V10 in the Arm architecture, and that you have administrator permissions for the node.

  5. Determine whether to deploy the SDK when creating the project. If you select Yes, specify a deployment method. See Figure 5. Click Create.
    Figure 5 Deploying the SDK

    If the secure computing SDK fails to be deployed, rectify the fault by following instructions in Failed to Deploy the Secure Computing Application SDK.

    Table 1 Parameters for configuring a GlobalPlatform-compliant TEE application project

    Parameter

    Description

    Project Type

    The options are:

    • Template project
      • CA Project
      • TA Project
      • RSA Project
      • Data Sealing
      • Secret Vote
      • Cert Assign
    • Empty project
      NOTE:
      • A CA project runs in the REE, and a TA project runs in the TEE. An RSA project implements secure communication based on the CA and TA projects.
      • A data sealing project includes CA and TA projects. The TEE secure storage interface is used to store confidential data.
      • A secret voting project includes CA and TA projects and is based on Advanced Encryption Standard (AES) and RSA encryption.
      • A certificate assignment project includes CA and TA projects. Certificates are issued based on the RSA and SM2 algorithms.

      Dependencies:

      1. Ensure that kunpeng-sc has been installed. (For data sealing and secret voting projects, ensure that kunpeng-sc-devel has been installed. For certificate assignment projects, ensure that the confidential computing SDK and kunpeng-sc-devel have been installed.)
      2. Run the lsmod | grep tzdriver command to check that the tzdriver is properly loaded.
      3. Run the ps -ef| grep teecd command to check that the daemon is properly started.

    Project Name

    The default project name is xxx_ProjectN, which can be modified as required.

    Name of the project to be created.

    NOTE:
    • N is an integer starting from 1 in ascending order.
    • The project name can contain 1 to 64 characters, including only letters, digits, periods (.), hyphens (-), plus signs (+), parentheses (), and underscores (_). It cannot start with a period (.).

    Project Location

    The default project location is C:\Users\username\KunpengProject, which can be modified as required.

    Storage path of the project to be created.

    (Optional) Signature Private Key

    Import the signature private key file.

    (Optional) Config Binary

    Import the binary configuration file.

    Deploy Server
    • Existing
    • New
    • Configure later
    NOTE:

    The new server will be added to the target server management.

    IP Address

    IP address of the target node for subsequent operations.

    SSH Port

    SSH port number of the target node.

    User Name

    Account of the target node for subsequent operations.

    Password

    Password of the target node user.

    Remember password

    If you select this option, the password of the current server user will be remembered.

    Storage Directory

    Storage directory on the target node.

    NOTE:

    The tool reads and writes the content in the storage directory. To avoid data loss, you are advised to use an empty directory.

    Deploy SDK When Creating Project

    Yes: deploys the SDK.

    No: does not deploy the SDK.

    Deploy SDK

    Select an SDK deployment method.

    • Online deployment
      • kunpeng-sc
      • kunpeng-sc-devel
    • Offline deployment
      • kunpeng-sc
      • kunpeng-sc-devel
        NOTE:
        • If you select Online deployment, the server must be connected to the Internet. In an isolated network environment, you need to use a proxy to access the Internet. For details, see Configuring a Proxy.
        • If you select Offline deployment, the SDK is imported from the local host. Download the SDK to the local host and upload it.
  6. After the data sealing project is created, click Open Project to open it in the current window.
    Figure 6 Opening the data sealing project
    Figure 7 Viewing the data sealing project
  7. Use the Compiler and Debugger to compile and debug the new project. For details, see the README file in the project folder.
    Figure 8 data-sealing_README

    If a project folder or file is added, deleted, modified, or renamed, you can synchronize the change to the remote server. For details, see Synchronizing Code to a Remote Server.

    After the compilation is complete, copy the generated files to the specified directory by following instructions in Instructions on Running Secure Computing Applications.

  8. When encryption and decryption are required:
    In the CLI of the target server, run the following encryption command: 
    /vendor/bin/data-sealing encrypt -k xxx -f xxx
    In the CLI of the target server, run the following decryption command: 
    /vendor/bin/data-sealing decrypt -k xxx -o xxx
    Figure 9 Encryption/Decryption commands
    Figure 10 Encryption
    Figure 11 Decryption
    1. The command can only be encrypt or decrypt. If you enter the -h option, the help information is printed and the program exits.
    2. During encryption, a string of fewer than 128 characters is specified after the -k option. The -f option cannot be left blank. The file content specified after -f cannot exceed 4096 bytes.
    3. During decryption, a string of fewer than 128 characters is specified after the -k parameter. After the decryption is successful, the decryption result is output to the file path specified after the -o parameter.
    4. Before performing encryption and decryption, ensure that the operator has the permission to execute the application.