SVSM-KMS: Safeguarding Keys for Cloud Services with Encrypted Virtualization

SVSM-KMS: Safeguarding Keys for Cloud Services with Encrypted Virtualization

연구 분야: Networking

학회: International Conference on Science of Cyber Security

In recent years, numerous instances of data breaches have emerged due to the inadvertent or intentional disclosure of cryptographic keys. To address this issue, this paper proposes SVSM-KMS, which utilizes AMD’s latest Encrypted Virtualization technology (AMD SEV-SNP) to deliver an efficient and seamless integrated secure key management service. We realized multilayered defense by integrating our mechanism within a privileged layer of a confidential virtual machine (CVM), thereby minimizing the trusted computing base (TCB) to prevent key leakage from compromised CVMs. Notably, we incorporated a zero-copy mechanism between the most privileged service module and the least privileged user applications, eliminating redundant data copies. To facilitate seamless integration, we propose a proxy server for existing cloud services. A prototype of SVSM-KMS has been developed based on the latest AMD SEV-SNP hardware platform. Evaluation results indicate that the performance of the Encrypted Virtualization-empowered SVSM-KMS is on par with Hadoop KMS, highlighting the practicality.