What is best practice cryptography when it comes to this scenario?
Lets say we have an application WebApp where users input confidential data to be sent to Acme Inc's secure enclave (AWS Nitro in this case) for processing, and the results of this processing are sent back to the WebApp for display.
What would be the best cryptographic setup for this instance, assuming the payload is larger than 1 MiB, and a zero knowledge architecture is preferred?
From my research it seems like it would have to be hybrid encryption, where a key exchange using long life X25519 keys is performed, and the data is encrypted with a temporary, session long AES-GCM symmetric key.
That is:
The clients browser would generate and store the private key locally, perhaps encrypted once more with an additional symmetric key that the user chooses, and send their public key to Acme's AWS KMS service.
The application would generate the private key inside a secure enclave and send the public key to the users WebApp for encryption of the symmetric key.
Does this sound at all like i'm on the right track? Any help at all is greatly appreciated!
