CanaryBit Tower

Orchestrate Trusted Execution Environments (TEE)

CanaryBit Tower is a Confidential Computing resources orchestration service. It helps end-users to deploy secure processing environments and provides control over configuration drifts.

It creates all the required infrastructure resources and one or more Trusted Execution Environments (TEEs, see Confidential Computing). Tower orchestrates TEEs either on the resources of a Cloud Service Provider of your choice, or On-Prem. It destroys all the resources once the execution is completed or compromised. Each trusted execution environment is single-use and immutable once created.

CanaryBit Tower consists of multiple Terraform / OpenTofu module configurations. The Tower module is a collection of resources to provision Confidential VMs resources only.

What is a module?

To learn more about the module concepts and how to use it refer to the official Terraform or OpenTofu documentation.

Requirements

A CanaryBit Account;
Access to the target infrastructure provider;
Terraform or OpenTofu installed;
CLI access to your cloud platform (e.g Azure CLI, AWS CLI, etc...).

Download

Below a list of configuration for both Public Clouds and Bare-metal / Private setups supported by CanaryBit Tower.

Public Clouds

The below configurations are free to use under the Apache-2.0 licence.

Azure

Infrastructure as Code (IaC) configuration for Azure Confidential VMs

Terraform | OpenTofu
AWS

Infrastructure as Code (IaC) configuration for AWS Confidential VMs

Terraform | OpenTofu
GCP

Infrastructure as Code (IaC) configuration for in GCP Confidential VMs

Terraform | OpenTofu

Bare-metal / Private setups

A Premium License is required for the following configurations: Buy Premium

VMware

Infrastructure as Code (IaC) configuration for VMware Confidential VMs
Proxmox

Infrastructure as Code (IaC) configuration for Proxmox Confidential VMs
Openshift

Infrastructure as Code (IaC) configuration for Openshift Confidential VMs/Nodes
Libvirt/QEMU

Infrastructure as Code (IaC) configuration for Baremetal Confidential VMs

Deploy & Verify

Automatically deploy Confidential VMs (cVM) applying specific configuration for the selected target infrastructure as follows:

Credentials

Source your CanaryBit credentials:
cb.rc
```
export CB_USERNAME=***
export CB_PASSWORD=***
```
Tip

The Terraform/OpenTofu module expects your CanaryBit username (cb_username) and password (cb_password) as input.
We recommend using environment variables as follows:
```
export TF_VAR_cb_username=$CB_USERNAME  
export TF_VAR_cb_password=$CB_PASSWORD
```

Source your target infrastructure credentials (e.g. AWS)

aws.rc

export AWS_ACCESS_KEY_ID=***
export AWS_SECRET_ACCESS_KEY=***
export AWS_REGION=***

Configure

Edit the CanaryBit Tower module configuration.

The below example shows an example of the lines/code-blocks that can be customized according to the expected target environment.

Note

Always refer to the provided example files for up-to-date, supported configuration.

Example - Module configuration for AWS deployment

... 

// ========================
//  Confidential VM (CVM)
// ========================

module "confidential-vm" {

    //  ************** DO NOT REMOVE THESE LINES ****************** // 

    source = "canarybit/tower/canarybit//modules/aws"       
    cb_username = var.cb_username
    cb_password = var.cb_password

    //  ************** CUSTOM CONFIG BELOW THIS LINE ************** // 

    // Confidential VM
    count = 2
    cvm_name = "my-cvm-${count.index}"
    ...
}

...

For more information about the expected arguments, please refer to each module Inputs tab (e.g. AWS: Inputs)

With Attestation (recommended)

To enable Remote Attestation, simply add the remote_attestation code-block in the module providing the required variables.

In this scenario, CanaryBit Tower will use a specific cloud-init file (attested.yml) ensuring the security characteristics of each Confidential VM are verified at booting time or at a custom cadence.

Never trust, always verify!

Environment verification with CanaryBit Inspector service is recommended to certify the security capabilities of the execution environments, mitigate risks and ensure privacy.

Without Attestation

Whenever a Confidential VM is created and not attested, the end-user is still trusting the hypervisor and infrastructure provider. In this scenario, the need of Confidential VMs becomes worthless.

You are at risk!

The security characteristics of this environment are NOT VERIFIED!
In this scenario, you are still trusting the hypervisor/infrastructure provider.

Apply

In your terminal, apply the configuration via:

Terraform

terraform init
terraform apply

or

OpenTofu

tofu init
tofu apply

During the deployment CanaryBit Tower:

authenticates the user towards CanaryBit;
authenticates the user towards your infrastructure provider;
creates the Confidential VMs and required virtual resources, e.g. networks, security groups, etc...;
injects the cloud-init(with or without Remote Attestation enabled) in each deployed Confidential VMs;
returns the details of the provisioned resources.

Collect the Attestation report

Login to the Inspector dashboard with your CanaryBit and download the full verification and audit report.