Host Process — Outside SGX
LangGraph Agent
- Manages conversation state
- Routes prompts via TCP socket
- Verifies response signatures
- Writes audit log
Attestation Verifier
- Fetches DCAP quote on connect
- Checks MRENCLAVE matches
- Verifies report_data = SHA256(pubkey)
- Validates Intel CA chain
What host never sees
- API key (plaintext)
- Signing private key
- LLM call internals
- EPC memory contents
TCP localhost:7777 · JSON + length-prefix framing
SGX Enclave — Gramine LibOS
Key Bootstrap
- First run: reads ANTHROPIC_API_KEY env
- Seals to /sealed/ via hardware key
- Subsequent runs: loads from sealed storage
- No external secrets after bootstrap
LLM Call
- HTTPS to api.anthropic.com
- TLS originates inside SGX
- Host forwards ciphertext only
- certifi CA bundle in MRENCLAVE
DCAP Quote
- Generated at startup
- report_data = SHA256(signing_pubkey)
- Binds signing key to MRENCLAVE
- Signed by Intel PKI
Output signature: ECDSA-P256 · sign( SHA256( prompt ‖ result ‖ timestamp ‖ MRENCLAVE ) )
/sealed mount · type=encrypted · key_name=_sgx_mrenclave
Sealed Storage — Hardware-Encrypted
🔑 anthropic_api_key
Anthropic API key. Encrypted at rest. Decrypted only inside this enclave on this CPU.
🔑 signing_key
ECDSA-P256 private key. Persistent across restarts. Never exported from EPC memory.
Decryption key = KDF( MRENCLAVE, CPU hardware fuse secret ) · Unreadable on any other machine or enclave build
DCAP · Azure THIM · global.acccache.azure.net
Intel SGX PKI — Remote Attestation
PCK CertificateCPU-specific cert issued by Intel, identifies physical SGX hardware
TCB Info + QE IdentityVerifies microcode version and Quoting Enclave authenticity
Root CA ChainIntel SGX Root CA → Platform CA → PCK cert · Full chain verified