Recovery From Backup

The recovery from a backup is a process to migrate the state of the Sharemind HI Server from one Intel® CPU to another Intel® CPU, for example due to a physical loss of the CPU, or a migration to a more powerful CPU to handle an increased workload. The state cannot just be copied and directly reused, since the Sharemind HI Server uses the Intel® SGX Data Sealing feature to persist the enclave state. But Intel® SGX Data Sealing uses a sealing key which can only be derived and re-derived on the same Intel® CPU. The sealing key cannot be re-derived on another Intel® CPU, which means the data will be lost when the original Intel® CPU breaks.
The recovery feature adds a layer of keys around the Intel® SGX Data Sealing mechanism to make migration possible.

When the core enclave and key enclave start the first time, they both create an asymmetric root key. The private root key is split into key shares using XOR key sharing, and then encrypted with the public recovery keys of the stakeholders. The public root key is then used to encrypt the sealing key when sealing data. When the recovery process is initiated on a new Intel® CPU, the core enclave and key enclave wait for stakeholders to decrypt their key share. The private root keys can be recovered when all decrypted key shares have been received, and then used for accessing the sealing keys and the sealed data. At the end of the recovery, the core enclave and key enclave each have a new root key pair, and all sealed data is re-sealed with the sealing key from the current Intel® CPU.

Access to the data directory, and thus regular backup of the data directory, is a requirement for a successful recovery.

The recovery process is time consuming:

Sharemind HI might provide hot-standby functionality in the future.

The recovery from backup feature works similar to the four-eyes principle, using secret sharing. Stakeholders can participate in the secret sharing, and thus control the recovery process, by creating an asymmetric recovery key pair. The public recovery key must be configured in the dataflow configuration for a given stakeholder (option RecoveryPublicKeyFile).