Recovery From Backup
1. Introduction
The recovery from a backup is a process to migrate the state of the Sharemind HI Server from one Intel® CPU to another Intel® CPU, for example due to a physical loss of the CPU, or a migration to a more powerful CPU to handle an increased workload.
The state cannot just be copied and directly reused, since the Sharemind HI Server uses the Intel® SGX Data Sealing feature to persist the enclave state.
But Intel® SGX Data Sealing uses a sealing key which can only be derived and re-derived on the same Intel® CPU.
The sealing key cannot be re-derived on another Intel® CPU, which means the data will be lost when the original Intel® CPU breaks.
The recovery feature adds a layer of keys around the Intel® SGX Data Sealing mechanism to make migration possible.
When the core enclave and key enclave start the first time, they both create an asymmetric root key. The private root key is split into key shares using XOR key sharing, and then encrypted with the public recovery keys of the stakeholders. The public root key is then used to encrypt the sealing key when sealing data. When the recovery process is initiated on a new Intel® CPU, the core enclave and key enclave wait for stakeholders to decrypt their key share. The private root keys can be recovered when all decrypted key shares have been received, and then used for accessing the sealing keys and the sealed data. At the end of the recovery, the core enclave and key enclave each have a new root key pair, and all sealed data is re-sealed with the sealing key from the current Intel® CPU.
2. Administrator View
Access to the data directory, and thus regular backup of the data directory, is a requirement for a successful recovery.
The recovery process is time consuming:
-
The data directory, server configuration and dataflow configuration needs to be restored from a backup.
-
All enforcers need to approve the new Sharemind HI Server
-
The new Sharemind HI Server needs to re-seal meta data of each sealed data file.
Sharemind HI might provide hot-standby functionality in the future.
3. Stakeholder View
The recovery from backup feature works similar to the four-eyes principle, using secret sharing.
Stakeholders can participate in the secret sharing, and thus control the recovery process, by creating an asymmetric recovery key pair.
The public recovery key must be configured in the dataflow configuration for a given stakeholder (option RecoveryPublicKeyFile
).