What is the nature and description of the request?

Enable complex Trustee deployment topologies spanning on-premises and cloud environments through hierarchical trust architecture and trustee-in-enclave capabilities. The request includes CLI-based orchestration tools (trustee-cli) for secure bootstrap coordination across environment boundaries, sealed secret mechanisms for distributing sensitive configuration to Trustee instances deployed in cloud enclaves, trust endorsement workflows where primary Trustee instances validate and vouch for intermediate instances, and multi-cloud integration supporting consistent security policies across Azure, AWS, and GCP environments. The CLI foundation (Epic TRUSTEE-15) provides essential tooling for local Trustee execution, key generation, and bootstrap automation that enables the broader hierarchical deployment scenarios.

Why does the customer need this? (Business requirements)

Digital sovereignty: Organizations need on-premises control over trust decisions while leveraging cloud confidential computing capabilities

Hybrid cloud flexibility: Support deployment topologies spanning trusted on-premises and untrusted cloud environments with CLI-based orchestration for secure bootstrap

Risk mitigation: Reduce cloud provider lock-in while maintaining confidential computing security guarantees through hierarchical trust models

Geographic distribution: Global organizations need distributed attestation infrastructure with centralized trust management coordinated via CLI automation

Service provider scenarios: Cloud providers want to offer Trustee services while customers retain trust anchor control through hierarchical deployment patterns

Scalable attestation: Distributed architecture reduces dependency on single attestation endpoints while maintaining secure bootstrap via CLI orchestration

Affected packages or components

• trustee-cli: Hierarchical deployment orchestration and bootstrap automation (Epic TRUSTEE-15 implementation)
• kbs: Cross-environment attestation coordination, trust endorsement validation
• attestation-service: TEE evidence validation for hierarchical trust establishment
• trustee-operator: Enhanced deployment patterns for enclave and hierarchical scenarios
• Sealed secrets: Secure configuration distribution mechanisms
• Cloud provider integrations: Azure Key Vault, AWS KMS, GCP Secret Manager
• PKCS11 plugins: Hardware security module support for intermediate instances

Technical implementation details

CLI-Based Bootstrap Orchestration: trustee-cli provides commands for local Trustee execution, key generation, sealed secret creation, and trust endorsement coordination between primary and intermediate instances

Hierarchical Trust Architecture: Primary Trustee (on-premises) validates TEE evidence from intermediate instances (cloud enclaves) and issues operational credentials via CLI-managed sealed secrets

Cross-Environment Coordination: CLI orchestrates trust establishment across network boundaries with support for Azure, AWS, GCP deployment patterns and cloud-specific key management integration

Secure Configuration Distribution: Sealed secret mechanisms enable secure bootstrap material sharing from trusted environments to cloud-deployed Trustee instances

Reference: Hierarchical Trustee deployment guide