Secure Enclave
- with a cryptoprocessor, keys are not directly accessible via the file system
- cryptoprocessor interacts with applications that need to access the key via an API that implements PKCS#11
- vulnerability:
- decrypted data needs to be loaded into the computer’s system memory (RAM) for applications to access it
- raises the potential for a malicious process to gain access to the data via some type of exploit
- can be mitigated by implementing a secure enclave
- decrypted data needs to be loaded into the computer’s system memory (RAM) for applications to access it
A trusted execution environment (TEE) secure enclave is a CPU extension that protects data stored in system memory so that an untrusted process cannot read it.
- e.g., Intel Software Guard Extensions
- designed so that even processes with root or system privileges cannot access it without authorization
- enclave is locked to a list of one or more digitally signed processes