...

App Instance configuration will carry this information  - Whether the App is protected by End-to-End Security, and if yes, what is the Vault to associate this App Instance with.  Zedmanager will consume this configuration, and co-ordinate between Vault manager and Domain Manager to make sure the required Vault is ready before launch of the User Application.

Providing Security By Default

While the interface described provides way for a user to create and manage his own “Local File Stores”, and configure policies for it (like storage limit,  encryption enablement, key rotation frequency) and associate them with his ECO Images (e.g. ECO 1 to use Local File Store A, ECO 2 and 3 to use Local File Store B etc),  what might be easier for the user is to have some Vaults created by default by EVE, and thus user might need to do nothing to secure his ECO instances, and it is enabled by default for a user who does not know/care/want to control Vaults at a much granular level. 

Therefore it is proposed that, we create a couple of Vaults by default: 

...

a) A Vault to store EVE device configuration (for EVE host OS consumption) - let's call it Config Vault - to store sensitive parts of EVE device configuration (e.g. S3 credentials)

...

b) A Vault to store ECO related files (for ECO consumption) - let’s call it Image Vault - to store and launch ECO images 

Even though these vaults are created by default, a User (if he wants) can change the policies associated with these Vaults, through the interface specified in this proposal, like he would do for any user-created Vaults.

Attestation Challenge by EVC 

...