Protect the result

Previous tutorials showed how to build Confidential Computing applications that run securely inside Trust Domains and combine them with confidential assets to get the most out of confidential computing advantages. This chapter pushes things further to protect the workflow in an end to end mode. That means the next step would be encrypting results.

Prerequisites:

• Docker 17.05 or higher on the daemon and client.
• iExec SDK 8.0.0 or higher.

INFO

You don't need to change your application's code or redeploy it to add this feature.

Assuming your application is deployed (if not please check how to do it with the TDX guide), before triggering an execution you need to generate an RSA key-pair, then push the public key to the Secret Management Service. The latter, in turn, will provide it, at runtime, to the Trust Domain running your Confidential Computing application.

To generate the key-pair, go to ~/iexec-projects and use the following SDK command:

Make sure your chain.json content is correct.

iexec result generate-encryption-keypair

This generates two files in .secrets/beneficiary/. Make sure to back up the private key in the file <0x-your-wallet-address>_key.

.secrets
├── beneficiary
│   ├── <0x-you-wallet-address>_key
│   └── <0x-you-wallet-address>_key.pub
...

Now, push the public key to the SMS:

iexec result push-encryption-key --tee-framework --chain arbitrum-mainnet

And check it using:

iexec result check-encryption-key --tee-framework --chain arbitrum-mainnet

Now to see that in action, you'd need to trigger a task and specify yourself as the beneficiary in the command:

iexec app run <0x-your-app-address> \
    --chain arbitrum-mainnet
    --workerpool 0x8ef2ec3ef9535d4b4349bfec7d8b31a580e60244 \
    --tag tee,tdx \
    --encrypt-result \
    --watch

Wait for the task to be COMPLETED and download the result:

iexec task show --chain arbitrum-mainnet <0x-your-task-id> --download

If you extract the obtained zip and try to read the content of the file iexec_out/result.zip.aes you will find it encrypted:

mkdir /tmp/trash && \
    unzip <0x-your-task-id>.zip -d /tmp/trash && \
    cat /tmp/trash/iexec_out/result.zip.aes

iexec_out/result.zip :

)3XqYvȿzEfRu<\ݵmm疞rc(a{{'ܼ͛q/[{Ht>hgD$g\.kj"s?"
hJ_Q41_[{XԚa蘟vEr肽
Յ]9WTL*
          tdzO`!e&snoL3K6L9%

Now you should decrypt the result by running:

iexec result decrypt <0x-your-task-id.zip>

A new zip file appears in the current folder under the name results.zip. Eventually, unzip it:

unzip results.zip -d my-decrypted-result

And you can see the content of your result file:

$ cat my-decrypted-result/result.txt
Hello, world!

Voilà! By finishing this part, you should be able to use confidential computing on iExec like a Ninja. All parts of the workflow are protected: the execution, the dataset, and the result.

You can go to the advanced section and learn more about managing orders on the iExec to effectively monetize your applications and datasets.