First you should create new IAM Policy to allow use of the KMS key that we defined to only be used inside the enclave. Open the "IAM -> Policies" page, and then click the "Create Policy" button to load the create policy page. You'll next select the "JSON" tab and paste the following json configs:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateRandom"
],
"Resource": "arn:aws:kms:ap-northeast-2:580177110170:key/d457ce32-1226-420b-9e81-bc32c49fe2da"
}
]
}After creatiing the policy you should see a new policy like this:
For more information please read this AWS docs.
Open the "IAM -> Roles" page and click the "Create role" button to create a new IAM role, then select the choice box in the first step like:
In the second step we suggest you input "key" as filter word and select "AWSKeyManagementServicePowerUser" and the IAM policy we created before like:
Finally, enter the new role name and remember it for future use.
Select "EC2 -> Security Groups" page and choose a security group you want to modify (or create a new one) and add inbound rules as follows:
These input ports will be filtered after the node is started.
To ensure a successful instance launch, pay closse attention to the following parts in the 'Launch an Instance' steps:
- Choose the "Amazon Linux" OS like the following (DO NOT use the default "Amazon Linux 2023 AMI" option, and architecture choose "64-bit(Arm)"):
- Choose an instance type that supports nitro. We use the "c6g.xlarge" here
- Use the security group we updated (created) above:
- Increase the volume size from 8G to 200G:
- In the "Advanced details" tab, use the IAM role we created above:
- In the "advanced details" tab set "Nitro Enclave" as enabled
After successfully launching the EC2 instance, you can access it and proceed with the next steps of the tutorial.
First you should prepare the TEA node dependencies which should take about 10 minutes.
Please note that the following preparations need only be completed once before starting the node for the first time.
Run the following command to start or update new TEA software version:
bash -c "$(curl -H "Cache-Control: no-cache" -fsSL https://raw.githubusercontent.com/tearust/nitro-build/main/install.sh)"
Or using the following command without prompting:
bash -c "$(curl -H "Cache-Control: no-cache" -fsSL https://raw.githubusercontent.com/tearust/nitro-build/main/install.sh)" "" "0x0000000000000000000000000000000000000000000000000000000000000000" "0xbd6D4f56b59e45ed25c52Eab7EFf2c626e083db9" "<your startup proof>"
Enter into the working directory of the "nitro-build" folder created automatically in the preparation step:
cd ~/nitro-build
Then simply run the following script to start the node with parts both inside and outside the enclave:
./start.sh
or run the following command if you want to change settings when running:
./start.sh "{YOUR_MACHINE_ID}" "{YOUR_MACHINE_OWNER}" "{STARTUP_PROOF}"
Note that replace your real machine_id, machine_owner and startup_proof for the above command.
e.g. ./start.sh "0x0000000000000000000000000000000000000000000000000000000000000000" "0xbd6D4f56b59e45ed25c52Eab7EFf2c626e083db9" "0x1234321"