# Decrypt datasets

Here is where **attestation** takes place. We need the key to decrypt the datasets, but it is stored in a remote attester (Trustee), and it will be provided to us only if **attestation** is successful, meaning the software & hardware of the CVM have not been tampered with.

By doing this we ensure that the CVM is **safe** and having the right hardware and software running prevents any attacker from fetching the transactions while they are being read by the model (**data in use** security). This is possible because the hardware inside the CVM makes sure that all data being loaded in the memory is encrypted, so that if an attacker tries to do a physical/virtual memory dump, the output will only be encrypted/zeroed blobs of memory.

This is what **Confidential Computing** is about: securing data in use.

Let's start by fetching the required key:

In [None]:
%%bash

TRUSTEE_KEY_LOCATION=./tee_key.pem
openssl genrsa -traditional -out $TRUSTEE_KEY_LOCATION 2048

TRUSTEE_IP=10.0.0.4
TRUESTEE_KEY_PATH=default/fraud-detection/data_key

OUT_FOLDER=./keys # path where the downloaded key and attestation token will be stored

mkdir -p $OUT_FOLDER

sudo podman run -it \
  --privileged \
  --device /dev/tpm0 \
  -v $OUT_FOLDER:/keys \
  -v $TRUSTEE_KEY_LOCATION:/tee-key.pem \
  -v /dev/log:/dev/log \
  --rm \
  quay.io/confidential-containers/kbs-client:v0.3.0 \
  kbs-client --url http://$TRUSTEE_IP:8080 attest --tee-key-file tee-key.pem > keys/attestation_token

sudo podman run -it \
  --privileged \
  --device /dev/tpm0 \
  -v $OUT_FOLDER:/keys \
  -v $TRUSTEE_KEY_LOCATION:/tee-key.pem \
  -v /dev/log:/dev/log \
  --rm \
  quay.io/confidential-containers/kbs-client:v0.3.0 \
  kbs-client --url http://$TRUSTEE_IP:8080 get-resource --attestation-token keys/attestation_token --tee-key-file tee-key.pem --path $TRUESTEE_KEY_PATH | base64 --decode > keys/key.bin

ls $OUT_FOLDER

Since we got a key in `$OUT_FOLDER/key.bin`, let's now decrypt the models!

In [None]:
%%bash

KEY_FILE=keys/key.bin
DATASET_SRC=downloaded_datasets
DATASET_DEST=datasets_dec

mkdir -p $DATASET_DEST
rm -rf $DATASET_DEST/*

for file in $DATASET_SRC/*; do
    fname=$(basename $file)
    fname=${fname%.enc}
    openssl enc -d -aes-256-cfb -pbkdf2 -kfile $KEY_FILE -in $file -out $DATASET_DEST/$fname
    echo "Decrypted" $DATASET_DEST/$fname":"
    head $DATASET_DEST/$fname
    echo ""
done

ls $DATASET_DEST

Get rid of the key, since we don't need it anymore. The key is anyways stored in an attested CVM (so no intruder can enter), and stored in an encrypted disk.

In [None]:
! rm -rf keys/*