Quickstart

This quickstart will give you a flavor of using MC2 with Opaque SQL, and can be entirely done locally with Docker if desired. You will use MC2 Client to encrypt some data, transfer the encrypted data to a remote machine, run an Opaque SQL job on the encrypted data on the remote machine, and retrieve and decrypt the job’s encrypted results. To run everything securely, you can choose to spin up Opaque SQL on Azure VMs with SGX-support. Alternatively, to get a flavor of MC2 without having to use Azure, you can use the deployment of Opaque SQL in the Docker container.

MC2 Client provides a command line interface that enables you to remotely interact with MC2 compute services. The CLI relies on a configuration file that you should modify before each step in this quickstart to tell MC2 Client what exactly you want to do.

Docker Quickstart

If you’d like to try everything out locally, you can do so within the Docker container you built in the installation section.

  1. Decide whether you want to run Spark (Scala) or PySpark (Python). The former is the default, while the latter will require two modifications to /mc2/client/quickstart/config.yaml:

Change run --> script to point to the Python file.

run:
    script: ${MC2_CLIENT_HOME}/demo/single-party/opaquesql/opaque_sql_demo.py

Change start --> head to include instructions on starting the PySpark listener. For a local listener, this will be

start:
    head:
      - cd /home/mc2/opaque-sql; build/sbt assembly
      - cd /home/mc2/opaque-sql; spark-submit --master local[1] --jars ${MC2_HOME}/target/scala-2.12/opaque-assembly-0.1.jar --py-files ${MC2_HOME}/target/python.zip ${MC2_HOME}/target/python/listener.py

  1. In the container, copy the contents of the quickstart directory to your mounted playground directory to ensure that your changes inside the container get reflected on your host. Then, specify the path to your configuration file.

# From the /mc2/client directory
cp -r quickstart/* playground
mc2 configure $(pwd)/playground/config.yaml

  1. Generate a keypair and a symmetric key that MC2 Client will use to encrypt your data. Specify your username and output paths in the user section of the configuration file. Then, generate the keys.

mc2 init

  1. Start the Opaque SQL compute service.

mc2 start

  1. Prepare your data for computation by encrypting and uploading it. Note that “uploading” here means copying because we have a local deployment.

mc2 upload

  1. Run the provided Opaque SQL quickstart script, to be executed by MC2. The Scala script can be found here, while Python is found here.

mc2 run

  1. Once computation has finished, you can retrieve your encrypted results and decrypt them. Specify the results’ path and their encryption format in the download section of configuration. The decrypted results will be in the same directory.

mc2 download

Azure Quickstart

You can also choose to run this quickstart with enclave-enabled VMs on the cloud with Azure Confidential Computing. This guide will take you through launching such VMs and using them with MC2.

  1. Decide whether you want to run Spark (Scala) or PySpark (Python). The former is the default, while the latter will require two modifications to /mc2/client/quickstart/config.yaml:

Change run --> script to point to the Python file.

run:
    script: ${MC2_CLIENT_HOME}/quickstart/opaque_sql_demo.py

Change start --> head to include instructions on starting the PySpark listener. For a local listener, this will be

start:
    head:
      - cd /home/mc2/opaque-sql; build/sbt assembly
      - cd /home/mc2/opaque-sql; spark-submit --master local[1] --jars ${MC2_HOME}/target/scala-2.12/opaque-assembly-0.1.jar --py-files ${MC2_HOME}/target/python.zip ${MC2_HOME}/target/python/listener.py

  1. In the container, copy the contents of the quickstart directory to your mounted playground directory to ensure that your changes inside the container get reflected on your host. Then, set the path to your configuration file.

# From the /mc2/client directory
cp -r quickstart/* playground
mc2 configure $(pwd)/playground/config.yaml

  1. Generate a keypair and a symmetric key that MC2 Client will use to encrypt your data. Specify your username and output paths in the user section of the configuration file. Then, generate the keys.

mc2 init

  1. Next, launch the machines and resources you’ll be using for computation. MC2 Client provides an interface to launch resources on Azure (and sets up the machines with necessary dependencies). Take a look at the launch section of the configuration file – you’ll need to specify the path to your Azure configuration file, which is a YAML file that details the names and types of various resources you will launch.

Next, log in to Azure through the command line and set your subscription ID. Here are instructions on how to find your subscription ID.

az login
az account set -s <YOUR_SUBSCRIPTION_ID>

Once you’ve done that, launch the resources.

mc2 launch

  1. Start the Opaque SQL compute service.

mc2 start

  1. Prepare your data for computation by encrypting and uploading it.

mc2 upload

  1. Run the provided Opaque SQL demo script, to be executed by MC2. The Scala script can be found here, while Python is found here. Both perform a filter operation over our data – the results will contain records of all patients who are younger than 30 years old. Results are encrypted by MC2 before being saved, and can only be decrypted with the key you used to encrypt your data in the previous step.

mc2 run

  1. Once computation has finished, you can retrieve your encrypted results and decrypt them.

mc2 download

  1. Once you’ve finished using your Azure resources, you can use MC2 Client to terminate them. You can specify which resources to terminate in the teardown section of the configuration.

mc2 teardown