Securing the Storage Data Path with SGX Enclaves
This addresses security for storage systems by evaluating SGX enclaves, but it is incremental as it focuses on performance analysis of existing configurations.
The paper tackled the problem of securing storage data paths using SGX enclaves for data-at-rest encryption, finding that SGX can achieve high encryption/decryption throughput comparable to non-SGX setups but requires careful design for optimal performance.
We explore the use of SGX enclaves as a means to improve the security of handling keys and data in storage systems. We study two main configurations for SGX computations, as they apply to performing data-at-rest encryption in a storage system. The first configuration aims to protect the encryption keys used in the encryption process. The second configuration aims to protect both the encryption keys and the data, thus providing end-to-end security of the entire data path. Our main contribution is an evaluation of the viability of SGX for data-at-rest encryption from a performance perspective and an understanding of the details that go into using enclaves in a performance sensitive environment. Our tests paint a complex picture: On the one hand SGX can indeed achieve high encryption and decryption throughput, comparable to running without SGX. On the other hand, there are many subtleties to achieving such performance and careful design choices and testing are required.