Securing sensitive data in a container management system

Assignee

• International Business Machines Corporation · US

Inventors

• Qi Feng Huo · Beijing, CN
• Da Li Liu · Beijing, CN
• Yuan Wang · Beijing, CN
• Lei Li · Zhengzhou, CN
• Yan Liu · Elmsford, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F21/6245
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

An approach is provided for securing a secret for usage by an application utilizing a client to retrieve secrets. A request is sent from a client in a workload container within a trusted execution environment (TEE) to retrieve an encrypted secret from an application programming interface (API) server outside the TEE. The request is hooked and sent to the API server by a proxy or a secret proxy plugin within the TEE. The secret is received from the API server by the proxy or secret proxy plugin. An agent within the TEE is called to request a private key. The agent obtains the private key. The secret is decrypted by using the private key. The decrypted secret is returned to the client by the proxy or secret proxy plugin, which ensures that a plain text version of sensitive information in the decrypted secret is not accessible outside the TEE.