AMD SEV-SNP encryption at rest

Friday, 11 October 2024

Hello folks,
I’m exploring the capabilities of the AMD SEV-SNP platform for a TEE implementation that
will handle and store secret data. 

This data should be tied to a single guest, that is no other guest that boots with the
same kernel/initrd/cmdline - in the form of a UKI - should be able to decrypt it.

I have a prototype that encrypts the boot disk with a key derived from the VCEK, but a
different guest is able to derive the same key provided it boots either the same UKI. 

The key has been derived with the snpguest tool developed by the virtee project. 

Does anybody have experience with encryption at rest with the AMD SEV SNP platform?

I understand that it’s possible to inject secrets into a SEV VM at creation time, but
documentation is scarce on that front. 

Thank you

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

AMD SEV-SNP encryption at rest