Cloud Providers
Polaris Pro can currently be deployed on Microsoft Azure using Confidential Computing, Key Management, and Attestation services. In all cases, all resources are provisioned on the client's infrastructure, and Fr0ntierX has no ability to access any data or services. All components of the provisioned stack are open-source and can be audited by the client.
Microsoft Azure
Polaris containers on Microsoft Azure are provisioned using confidential Azure Container Instances. For each Polaris instance, a confidential container group is created, containing separate containers for the Polaris Proxy and the Client Workload. Some limitations on the CPU count and memory size of the container instances apply. Please refer to the Azure documentation for more information.
You can deploy Polaris on Azure as a Managed Application using the offer in the Azure Marketplace. The Managed Application is configured to grant you full access to all resources, while access by Fr0ntierX to the resources is strictly prohibited.
Key Management on Azure
The private encryption key is created using Azure Key Vault and stored inside an HSM. The key can be accessed within the Polaris Pro container via the Secure Key Release (SKR) feature. This is implemented using the official Azure Secure Key Release Sidecar container. The SKR container is responsible for generating the remote attestation from the CPU, verifying it with the Microsoft Azure Attestation (MAA) service, obtaining a token, and releasing the key. The private key is then imported into the encrypted memory of the Polaris Proxy container, enabling it to encrypt data.
In the future, you will be able to customize the attestation policy to include additional conditions, such as the Docker image hash of the proxy and the workload.