External Key Management

The Polaris Secure Proxy supports integration with several external key management solutions. In all cases, the Proxy assumes it is running inside a Trusted Execution Environment (TEE) and can perform the necessary remote attestation to access the key. The implementation details vary depending on the key management solution.

Google Cloud Key Management

When the private encryption key is managed in Google Cloud Key Management, the Polaris Proxy uses an OIDC token generated by the Google-managed vTPM to access the key through the Workload Identity Pool.

Azure Key Vault

When the private encryption key is managed in Azure Key Vault, the Polaris Proxy utilizes the Secure Key Release (SKR) feature to access the key. This is implemented using the official Azure Secure Key Release sidecar container, which is expected to run on the same machine as the Polaris Proxy.