We are pleased to announce the release of Conclave 1.2, which delivers two data persistence features, a key-derivation service to simplify cloud development, a common host, and other features that improve the developer experience.
Conclave is a software development kit and suite of complementary cloud services that make it easy for developers to build privacy-first services for their customers. Privacy-enhancing services protect users’ data from being misused by the potentially malicious operators of the services. The services cryptographically prove to the users exactly what will happen to any data they submit. Conclave aspires to be the industry’s simplest and quickest way for non-specialist developers to add these capabilities to their offerings.
Conclave 1.2 radically reduces the journey to production by removing barriers to cloud deployment and simplifying the developer experience.
Our cloud-based Key-Derivation Service (KDS) makes it possible to deploy privacy-enhancing applications that are not tied to any one machine, unlocking clusters and high-availability architectures. The private key is not attached to a particular SGX instance and can be derived from any source, for example, HSM. As the key is not linked to the CPU, enclave data can easily be migrated from one VM to another and provide seamless redeployment of VM by cloud service providers. Read more about KDS in the blog here and here.
Conclave 1.2 provides out-of-the-box support for data persistence, which is fully integrated with the key-derivation service to enable cloud-native Conclave applications. It has unique optional ‘malicious host’ detection technology to make security more robust. Two persistent features are now available:
- The persistent file system gives the enclave the ability to securely store data on the host, and data is still available even after the enclave restarts. In many other Confidential Computing SDKs when an enclave wrote data into a file, it would only reside in memory and would disappear after the enclave was restarted.
- To improve security, the enclave class now exposes a simple key-value store, represented as a standard java.util.Map object. Conclave will securely persist the encrypted map on the host side. Not only is the map still securely available after an enclave restarts, but it is also resilient against attempts by a malicious host to roll it back to a previous state (rollback attacks).
A deep-dive blog on these two persistence features, what “rollback attacks” are, and how Conclave protects against them is here.
Out-of-the-box ‘Common Host’ and ‘Common Client’ to radically simplify the developer journey. This removes the need to develop boilerplate hosting logic and provides a stepping stone to the future Conclave cloud hosting service. A Client also has a set of new APIs to simplify the client’s code and encapsulate all communication complexities away. Read more about Common Host here and here.
- Conclave Init tool to make setting up a Conclave project easier.
- Updated mail-enclave communication protocol to support ephemeral sessions: these changes along with persistent storage and KDS provide additional security and flexibility when working with Conclave mail and persistent data.
- Experimental support for Python as a new programming language to write Enclave’s code.
- We have updated enclave code to Java 11 as a default JDK version. We still support Java 8 version but enclaves must opt in for it.
In addition, Conclave 1.2 delivers:
- Enclave lifecycle methods for enclave startup initialization and shutdown cleanup.
- Further improvements to the Conclave Gradle plugin to reduce the amount of boilerplate code needed.
- Improved API for checking platform support.
- Upgraded to the latest Intel SGX SDK 2.14, which addresses the latest security fixes and other improvements.
- Host load is no longer required to specify enclave class name as a parameter.
Download Conclave 1.2 here.
To learn more, make sure to visit docs.conclave.net, conclave.net, developer.r3.com, Discord channel, or join the conclave-discuss mailing list, where you’ll have a direct line to the Conclave development team. Special thanks to Richard G Brown, Shams Asari, Marco Bonifazi, and Roy Hopkins for their help with this blog.