| Abstract [eng] |
The aim of this work is to improve the architecture, based on the existing method, using physical security modules and the secure environment provided by the confidential computing. This master's thesis examines physical security modules, their operations and purposes, data deletion methods and the operation of confidential computing and the security benefits provided. During the research, a new architecture was designed and implemented using the services provided by the „Microsoft Azure” cloud provider. The proposed improved method uses the secure execution environment provided by the „AMD SEV-SNP” processor functionality. This method ensures secure data deletion from the cloud file storage using a „HSM” module-based key manager. Also, a zeroknowledge proof method is used to verify the secure environment and the key generation actions of the „HSM” module. In the experimentation part, the speed of the method was tested. Also, individual operation comparison was made in various environments in order to observe the performance overhead: • In a secure execution environment • In a simple execution environment The advantages and disadvantages of the architectures of the „FADE" method and the proposed method were also compared. The results of the study showed that the proposed method works faster, and also allows ease of use of existing cloud service integrations. Additionally, it was observed that the secure execution environment has a negative impact on the speed of the proposed method, but it is unnoticable to the user. Although the proposed method requires expensive infrastructure resources (HSM-based key manager), it could be used by large enterprises due to the advantages of the proposed architecture. |
