Cloud Providers
Polaris and Polaris Pro can be deployed on Microsoft Azure, leveraging its Confidential Computing, Key Management, and Attestation services. All resources are fully provisioned on the client's infrastructure, ensuring that Fr0ntierX has no access to any data or services. Additionally, all components of the provisioned stack are open-source and auditable by the client.
Microsoft Azure
Polaris containers on Microsoft Azure are deployed on Azure Kubernetes Service (AKS) using Confidential Virtual Machine (CVM) nodes. Each Polaris instance runs as a Kubernetes pod, containing separate containers for the Polaris Proxy and the Client Workload. CPU and memory allocations are subject to AKS node limitations—refer to the Azure documentation for more details.
You can deploy Polaris and Polaris Pro on Azure as a Kubernetes Application using the offer in the Azure Marketplace. The Kubernetes Application is configured to grant you full access to all resources, while access by Fr0ntierX to the resources is strictly prohibited.
Key Management on Azure
For Polaris Pro, the private encryption key is created using Azure Key Vault and stored inside an HSM. The key can be accessed within the Polaris Pro container via the Secure Key Release (SKR) feature. This is implemented using the official Azure Secure Key Release Sidecar container. The SKR container is responsible for generating the remote attestation from the CPU, verifying it with the Microsoft Azure Attestation (MAA) service, obtaining a token, and releasing the key. The private key is then imported into the encrypted memory of the Polaris Proxy container, enabling it to encrypt data.
In the future, you will be able to customize the attestation policy to include additional conditions, such as the Docker image hash of the proxy and the workload.