Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Cryptographic attestation for AWS Nitro Enclaves

Focus mode
Cryptographic attestation for AWS Nitro Enclaves - AWS Key Management Service

AWS KMS supports cryptographic attestation for AWS Nitro Enclaves. Applications that support AWS Nitro Enclaves call the following AWS KMS cryptographic operations with a signed attestation document for the enclave. These AWS KMS APIs verify that the attestation document came from a Nitro enclave. Then, instead of returning plaintext data in the response, these APIs encrypt the plaintext with the public key from the attestation document and return ciphertext that can be decrypted only by the corresponding private key in the enclave.

The following table shows how the response to Nitro enclave requests differs from the standard response for each API operation.

AWS KMS operation Standard response Response for AWS Nitro Enclaves
Decrypt Returns plaintext data Returns the plaintext data encrypted by the public key from the attestation document
DeriveSharedSecret Returns raw shared secret Returns the raw shared secret encrypted by the public key from the attestation document
GenerateDataKey Returns a plaintext copy of the data key

(Also returns a copy of the data key encrypted by a KMS key)

Returns a copy of the data key encrypted by the public key from the attestation document

(Also returns a copy of the data key encrypted by a KMS key)

GenerateDataKeyPair Returns a plaintext copy of the private key

(Also returns the public key and a copy of the private key encrypted by a KMS key)

Returns a copy of the private key encrypted by the public key from the attestation document

(Also returns the public key and a copy of the private key encrypted by a KMS key)

GenerateRandom Returns a random byte string Returns the random byte string encrypted by the public key from the attestation document

AWS KMS supports policy condition keys that you can use to allow or deny enclave operations with an AWS KMS key based on the content of the attestation document. You can also monitor requests to AWS KMS for your Nitro enclave in your AWS CloudTrail logs.

Learn more

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.