Abstract: Techniques are disclosed for enabling attested end-to-end encryption for transporting data between devices. In one example, a destination device receives a policy profile that includes an origination key and a destination key, and the origination key corresponds to a public transfer key of a source device. The destination device verifies the policy profile based on the destination key corresponding to a public transfer key of the source device. The destination device receives a signed encrypted data encryption key from the source device. The destination device receives encrypted data from the source device. The destination device verifies the signed encrypted data encryption key originated from the source device based on the signed encrypted data key being signed with a private attestation identity key that corresponds to a public attestation identity key of the source device. The destination device decrypts encrypted data using a private transfer key of the destination device.

Abstract: The present embodiments relate to edge attestation of a host node to access a cloud infrastructure environment. A set of authentication data can be obtained from a console for authorization of the host node. The set of authentication data can include a first endorsement key and an authentication policy identifying characteristics of the host node. The host node can send a request for a network address to connect to the cloud infrastructure environment. The host node can generate a second endorsement key and authentication data that can be verified as corresponding to the set of authentication data received from the console. Responsive to validating the second endorsement key and the received host node authentication data, the network address can be provided to the host node that can be used to connect to the cloud infrastructure environment using the network address.

Abstract: The present embodiments relate to a secure boot partition for a cloud computing device of a cloud computing system. The computing device of the cloud computing system can transmit a first request for a pre-boot execution environment executable from a smart network interface card (SmartNIC). The computing device can receive the pre-boot environment executable from the SmartNIC and verify the pre-boot execution environment executable. The computing device can execute the pre-boot execution environment executable. Executing the pre-boot execution environment executable can include transmitting a second request secure boot metadata from the SmartNIC and receiving the secure boot metadata. Executing the pre-boot execution environment executable can further include mounting a boot partition, loading a boot loader obtained from the boot partition, verifying the boot loader based at least in part on the secure boot metadata, and executing the boot loader in response to verifying the boot loader.

Abstract: The present embodiments relate to edge attestation of a host node to access a cloud infrastructure environment. A set of authentication data can be obtained from a console for authorization of the host node. The set of authentication data can include a first endorsement key and an authentication policy identifying characteristics of the host node. The host node can send a request for a network address to connect to the cloud infrastructure environment. The host node can generate a second endorsement key and authentication data that can be verified as corresponding to the set of authentication data received from the console. Responsive to validating the second endorsement key and the received host node authentication data, the network address can be provided to the host node that can be used to connect to the cloud infrastructure environment using the network address.

Abstract: Techniques are disclosed for enabling attested end-to-end encryption for transporting data between devices. In one example, a destination device receives a policy profile that includes an origination key and a destination key, and the origination key corresponds to a public transfer key of a source device. The destination device verifies the policy profile based on the destination key corresponding to a public transfer key of the source device. The destination device receives a signed encrypted data encryption key from the source device. The destination device receives encrypted data from the source device. The destination device verifies the signed encrypted data encryption key originated from the source device based on the signed encrypted data key being signed with a private attestation identity key that corresponds to a public attestation identity key of the source device. The destination device decrypts encrypted data using a private transfer key of the destination device.

Abstract: Techniques are disclosed for enabling attested end-to-end encryption for transporting sensitive data between devices. In one example, an origination device receives and verifies, in a secure environment, a policy profile that includes an origination key of the origination device and a destination key of a destination device. The origination device generates and seals a data encryption key based on a characteristic of the secure environment. The origination device then encrypts the data encryption key with a public key of the destination device to form an encrypted data encryption key. The origination device then signs the encrypted data encryption key with a private attestation identity key of the origination device. The origination device encrypts the sensitive data with the sealed data encryption key to form encrypted data, and then transmits the signed encrypted data encryption key and the encrypted data to the destination device for subsequent decryption of the encrypted data.

Abstract: Techniques are disclosed for enabling attested end-to-end encryption for transporting sensitive data between devices. In one example, an origination device receives and verifies, in a secure environment, a policy profile that includes an origination key of the origination device and a destination key of a destination device. The origination device generates and seals a data encryption key based on a characteristic of the secure environment. The origination device then encrypts the data encryption key with a public key of the destination device to form an encrypted data encryption key. The origination device then signs the encrypted data encryption key with a private attestation identity key of the origination device. The origination device encrypts the sensitive data with the sealed data encryption key to form encrypted data, and then transmits the signed encrypted data encryption key and the encrypted data to the destination device for subsequent decryption of the encrypted data.