Skip to main content

Architecture

Each Polaris container contains an instance of the Polaris Secure Proxy and the client workload container. Please refer to the diagram below for a visual representation.

Polaris Architecture

Trusted Execution Environment (TEE)

The Polaris Container is designed to be run inside of a Trusted Execution Environment (TEE) in order to guarantee that data is encrypted at all times, including while in-use. We achieve this by provisioning Polaris inside of a Confidential Virtual Machine based on the AMD SEV-SNP technology. The exact implementation depends on the Cloud Service Provider that is used, for details please refer to the Cloud Providers documentation.

Confidential Virtual Machines provide full memory encryption with minimal overhead. This means that data in the machies memory is protected agains a malicios Hypervisor or other VMs running on the same host. The encryption is done in hardware and does not require any changes to the workload running inside the VM.

Client Workload

The client workload is running as a Docker container inside of the TEE. You can configure the Docker image you want to run inside of the Polaris container along with environment variables, entrypoint command and parameters. Polaris takes care of creating the Docker container and configuring the network. In most cases, you don't need to do any modifications to your workload as all HTTP communication between it and the proxy is not encrypted.

For details how to configure the client workload, please refer to the Client Workload Configuration.

Polaris Secure Proxy

The Polaris Secure Proxy sits in front of the Client Workload and acts as an HTTP proxy server. It is implemented in TypeScript based on the efficient express-http-proxy library. The proxy can be configured to enable transparent decryption of input requests and encryption of responses if you want to enable encrypted communication.

For details on how to configure the Polaris Secure Proxy, please refer to the Polaris Secure Proxy documentation.

Permament Encryption Key

The proxy is also responsible for providing access to the private keys used to decrypt the data inside of the TEE. In the case of Polaris Pro, the proxy connects to an external key management solution that stores a 4096-bit RSA private key securely inside of a Hardware Security Module (HSM). The private key is configured to be accessed only through an attestation policy that verifies that they private key is only used inside of a TEE. The key management service and attestation policy rely on services provided by the cloud provider. Please refer to the Cloud Provider documentation for details.

Having a permanent decryption key means that it can be used to encrypt and decrypt data that is stored permanently in a bucket, on a disk, in a database or any other storage medium. To implement encryption and decryption of data from the workload container, please refer to the Polaris SD documentation.