Protect result

Prerequisites
​Docker 17.05 or higher on the daemon and client.
​Nodejs 12.0.0 or higher.
​iExec SDK 7.0.0 or higher.
Familiarity with the basic concepts of Intel® SGX and SCONE framework.
Please make sure you have already checked the Quickstart, Your first application and Build trusted applications tutorials before learning how to protect the result of your task.
In previous tutorials, we saw how to build trusted applications that run securely inside enclaves and combine them with confidential datasets to get the most out of confidential computing advantages. In this chapter, we will push things further to protect the workflow in an end to end mode. That means the next step would be encrypting results.
You don't need to change your application's code or redeploy it to add this feature.
Assuming your application is deployed (if not please check how to do it here), before triggering an execution you need to generate a public/private AES key-pair and push the public part to the Secret Management Service. The latter, in turn, will provide it, at runtime, to the enclave running your trusted application.
To generate the key-pair, go to ~/iexec-projects and use the following SDK command:
1
iexec result generate-encryption-keypair
Copied!
This generates two files in .secrets/beneficiary/. Make sure to back up the private key in the file <0x-your-wallet-address>_key.
1
.secrets
2
├── beneficiary
3
│   ├── <0x-you-wallet-address>_key
4
│   └── <0x-you-wallet-address>_key.pub
5
...
Copied!
Make sure you use the debug Secret Management Service (see Build trusted applications > Deploy the dataset). Default SMS is production so make sure you use the right one.
Now, push the public key to the SMS:
1
iexec result push-encryption-key --chain viviani
Copied!
And check it using:
1
iexec result check-encryption-key --chain viviani
Copied!
Now to see that in action, you'd need to trigger a task and specify yourself as the beneficiary in the command:
1
iexec app run <0x-your-app-address> \
2
    --chain viviani                  \
3
    --tag tee                       \
4
    --encrypt-result \
5
    --watch
Copied!
Wait for the task to be COMPLETED and download the result:
1
iexec task show <0x-your-task-id> --download --chain viviani
Copied!
If you extract the obtained zip and try to read the content of the file iexec_out/result.zip.aes you will find it encrypted:
1
mkdir /tmp/trash && \
2
    unzip <0x-your-task-id>.zip -d /tmp/trash && \
3
    cat /tmp/trash/iexec_out/result.zip.aes
Copied!
iexec:out/result.zip
1
)3�Xq��Yv��ȿzE�fRu<\�ݵm�m���疞r���c��(a���{{'��ܼ���͛�q/[{����H�t>��������h��gD$g��\.�k��j�����"�s?"�h�J�_Q41�_[{��X��������Ԛ��a�蘟v���E����r����肽
2
�����Յ]9W�TL�*���
3
          �t��d���z��O`����!���e�&snoL3�K6L9���%
Copied!
Now you should decrypt the result by running:
1
iexec result decrypt <0x-your-task-id.zip>
Copied!
A new zip file appears in the current folder under the name results.zip. Eventually, unzip it:
1
unzip results.zip -d my-decrypted-result
Copied!
And you can see the content of your result file:
1
$ cat my-decrypted-result/result.txt
2
Hello, world!
Copied!
Voilà! By finishing this part, you should be able to use confidential computing on iExec like a Ninja. All parts of the workflow are protected: the execution, the dataset, and the result.
You can go to the advanced section and learn more about managing orders on the iExec to effectively monetize your applications and datasets.

Use confidential assets

Next - For Developers

Advanced

Last modified 29d ago

Copy link