diff --git a/confidential-data-hub/golang/pkg/api/cdhgrpc/cdhgrpc.pb.go b/confidential-data-hub/golang/pkg/api/cdhgrpc/cdhgrpc.pb.go
new file mode 100644
index 000000000..766702279
--- /dev/null
+++ b/confidential-data-hub/golang/pkg/api/cdhgrpc/cdhgrpc.pb.go
@@ -0,0 +1,527 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.30.0
+// 	protoc        v3.11.4
+// source: cdhgrpc.proto
+
+package cdhgrpc
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type UnsealSecretInput struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The input `secret“ is in the following format
+	// `sealed`.`JWS header`.`JWS body (secret content)`.`signature`
+	Secret []byte `protobuf:"bytes,1,opt,name=secret,proto3" json:"secret,omitempty"`
+}
+
+func (x *UnsealSecretInput) Reset() {
+	*x = UnsealSecretInput{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cdhgrpc_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *UnsealSecretInput) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UnsealSecretInput) ProtoMessage() {}
+
+func (x *UnsealSecretInput) ProtoReflect() protoreflect.Message {
+	mi := &file_cdhgrpc_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UnsealSecretInput.ProtoReflect.Descriptor instead.
+func (*UnsealSecretInput) Descriptor() ([]byte, []int) {
+	return file_cdhgrpc_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *UnsealSecretInput) GetSecret() []byte {
+	if x != nil {
+		return x.Secret
+	}
+	return nil
+}
+
+type UnsealSecretOutput struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"`
+}
+
+func (x *UnsealSecretOutput) Reset() {
+	*x = UnsealSecretOutput{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cdhgrpc_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *UnsealSecretOutput) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UnsealSecretOutput) ProtoMessage() {}
+
+func (x *UnsealSecretOutput) ProtoReflect() protoreflect.Message {
+	mi := &file_cdhgrpc_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UnsealSecretOutput.ProtoReflect.Descriptor instead.
+func (*UnsealSecretOutput) Descriptor() ([]byte, []int) {
+	return file_cdhgrpc_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *UnsealSecretOutput) GetPlaintext() []byte {
+	if x != nil {
+		return x.Plaintext
+	}
+	return nil
+}
+
+type GetResourceRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	ResourcePath string `protobuf:"bytes,1,opt,name=ResourcePath,proto3" json:"ResourcePath,omitempty"`
+}
+
+func (x *GetResourceRequest) Reset() {
+	*x = GetResourceRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cdhgrpc_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetResourceRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetResourceRequest) ProtoMessage() {}
+
+func (x *GetResourceRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_cdhgrpc_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetResourceRequest.ProtoReflect.Descriptor instead.
+func (*GetResourceRequest) Descriptor() ([]byte, []int) {
+	return file_cdhgrpc_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *GetResourceRequest) GetResourcePath() string {
+	if x != nil {
+		return x.ResourcePath
+	}
+	return ""
+}
+
+type GetResourceResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Resource []byte `protobuf:"bytes,1,opt,name=Resource,proto3" json:"Resource,omitempty"`
+}
+
+func (x *GetResourceResponse) Reset() {
+	*x = GetResourceResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cdhgrpc_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetResourceResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetResourceResponse) ProtoMessage() {}
+
+func (x *GetResourceResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_cdhgrpc_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetResourceResponse.ProtoReflect.Descriptor instead.
+func (*GetResourceResponse) Descriptor() ([]byte, []int) {
+	return file_cdhgrpc_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *GetResourceResponse) GetResource() []byte {
+	if x != nil {
+		return x.Resource
+	}
+	return nil
+}
+
+type SecureMountRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	VolumeType string            `protobuf:"bytes,1,opt,name=volume_type,json=volumeType,proto3" json:"volume_type,omitempty"`
+	Options    map[string]string `protobuf:"bytes,2,rep,name=options,proto3" json:"options,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Flags      []string          `protobuf:"bytes,3,rep,name=flags,proto3" json:"flags,omitempty"`
+	MountPoint string            `protobuf:"bytes,4,opt,name=mount_point,json=mountPoint,proto3" json:"mount_point,omitempty"`
+}
+
+func (x *SecureMountRequest) Reset() {
+	*x = SecureMountRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cdhgrpc_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SecureMountRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SecureMountRequest) ProtoMessage() {}
+
+func (x *SecureMountRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_cdhgrpc_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SecureMountRequest.ProtoReflect.Descriptor instead.
+func (*SecureMountRequest) Descriptor() ([]byte, []int) {
+	return file_cdhgrpc_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *SecureMountRequest) GetVolumeType() string {
+	if x != nil {
+		return x.VolumeType
+	}
+	return ""
+}
+
+func (x *SecureMountRequest) GetOptions() map[string]string {
+	if x != nil {
+		return x.Options
+	}
+	return nil
+}
+
+func (x *SecureMountRequest) GetFlags() []string {
+	if x != nil {
+		return x.Flags
+	}
+	return nil
+}
+
+func (x *SecureMountRequest) GetMountPoint() string {
+	if x != nil {
+		return x.MountPoint
+	}
+	return ""
+}
+
+type SecureMountResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	MountPath string `protobuf:"bytes,1,opt,name=mount_path,json=mountPath,proto3" json:"mount_path,omitempty"`
+}
+
+func (x *SecureMountResponse) Reset() {
+	*x = SecureMountResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cdhgrpc_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SecureMountResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SecureMountResponse) ProtoMessage() {}
+
+func (x *SecureMountResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_cdhgrpc_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SecureMountResponse.ProtoReflect.Descriptor instead.
+func (*SecureMountResponse) Descriptor() ([]byte, []int) {
+	return file_cdhgrpc_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *SecureMountResponse) GetMountPath() string {
+	if x != nil {
+		return x.MountPath
+	}
+	return ""
+}
+
+var File_cdhgrpc_proto protoreflect.FileDescriptor
+
+var file_cdhgrpc_proto_rawDesc = []byte{
+	0x0a, 0x0d, 0x63, 0x64, 0x68, 0x67, 0x72, 0x70, 0x63, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
+	0x03, 0x61, 0x70, 0x69, 0x22, 0x2b, 0x0a, 0x11, 0x55, 0x6e, 0x73, 0x65, 0x61, 0x6c, 0x53, 0x65,
+	0x63, 0x72, 0x65, 0x74, 0x49, 0x6e, 0x70, 0x75, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x63,
+	0x72, 0x65, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x73, 0x65, 0x63, 0x72, 0x65,
+	0x74, 0x22, 0x32, 0x0a, 0x12, 0x55, 0x6e, 0x73, 0x65, 0x61, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65,
+	0x74, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e,
+	0x74, 0x65, 0x78, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x6c, 0x61, 0x69,
+	0x6e, 0x74, 0x65, 0x78, 0x74, 0x22, 0x38, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x52, 0x65, 0x73, 0x6f,
+	0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x22, 0x0a, 0x0c, 0x52,
+	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x50, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x0c, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x50, 0x61, 0x74, 0x68, 0x22,
+	0x31, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72,
+	0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72,
+	0x63, 0x65, 0x22, 0xe8, 0x01, 0x0a, 0x12, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x75,
+	0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x76, 0x6f, 0x6c,
+	0x75, 0x6d, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a,
+	0x76, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x3e, 0x0a, 0x07, 0x6f, 0x70,
+	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x61, 0x70,
+	0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x2e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72,
+	0x79, 0x52, 0x07, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x66, 0x6c,
+	0x61, 0x67, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x66, 0x6c, 0x61, 0x67, 0x73,
+	0x12, 0x1f, 0x0a, 0x0b, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18,
+	0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x50, 0x6f, 0x69, 0x6e,
+	0x74, 0x1a, 0x3a, 0x0a, 0x0c, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72,
+	0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
+	0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x34, 0x0a,
+	0x13, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x70, 0x61,
+	0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x50,
+	0x61, 0x74, 0x68, 0x32, 0x58, 0x0a, 0x13, 0x53, 0x65, 0x61, 0x6c, 0x65, 0x64, 0x53, 0x65, 0x63,
+	0x72, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x41, 0x0a, 0x0c, 0x55, 0x6e,
+	0x73, 0x65, 0x61, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x16, 0x2e, 0x61, 0x70, 0x69,
+	0x2e, 0x55, 0x6e, 0x73, 0x65, 0x61, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x49, 0x6e, 0x70,
+	0x75, 0x74, 0x1a, 0x17, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x55, 0x6e, 0x73, 0x65, 0x61, 0x6c, 0x53,
+	0x65, 0x63, 0x72, 0x65, 0x74, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x22, 0x00, 0x32, 0x58, 0x0a,
+	0x12, 0x47, 0x65, 0x74, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x53, 0x65, 0x72, 0x76,
+	0x69, 0x63, 0x65, 0x12, 0x42, 0x0a, 0x0b, 0x47, 0x65, 0x74, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72,
+	0x63, 0x65, 0x12, 0x17, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x65, 0x73, 0x6f,
+	0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x18, 0x2e, 0x61, 0x70,
+	0x69, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x32, 0x58, 0x0a, 0x12, 0x53, 0x65, 0x63, 0x75, 0x72,
+	0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x42, 0x0a,
+	0x0b, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x17, 0x2e, 0x61,
+	0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75,
+	0x72, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x00, 0x42, 0x69, 0x5a, 0x67, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x2d, 0x63, 0x6f, 0x6e,
+	0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x73, 0x2f, 0x67, 0x75, 0x65, 0x73, 0x74, 0x2d, 0x63, 0x6f,
+	0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65,
+	0x6e, 0x74, 0x69, 0x61, 0x6c, 0x2d, 0x64, 0x61, 0x74, 0x61, 0x2d, 0x68, 0x75, 0x62, 0x2f, 0x67,
+	0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x73, 0x2f, 0x63, 0x64, 0x68,
+	0x67, 0x72, 0x70, 0x63, 0x3b, 0x63, 0x64, 0x68, 0x67, 0x72, 0x70, 0x63, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_cdhgrpc_proto_rawDescOnce sync.Once
+	file_cdhgrpc_proto_rawDescData = file_cdhgrpc_proto_rawDesc
+)
+
+func file_cdhgrpc_proto_rawDescGZIP() []byte {
+	file_cdhgrpc_proto_rawDescOnce.Do(func() {
+		file_cdhgrpc_proto_rawDescData = protoimpl.X.CompressGZIP(file_cdhgrpc_proto_rawDescData)
+	})
+	return file_cdhgrpc_proto_rawDescData
+}
+
+var file_cdhgrpc_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var file_cdhgrpc_proto_goTypes = []interface{}{
+	(*UnsealSecretInput)(nil),   // 0: api.UnsealSecretInput
+	(*UnsealSecretOutput)(nil),  // 1: api.UnsealSecretOutput
+	(*GetResourceRequest)(nil),  // 2: api.GetResourceRequest
+	(*GetResourceResponse)(nil), // 3: api.GetResourceResponse
+	(*SecureMountRequest)(nil),  // 4: api.SecureMountRequest
+	(*SecureMountResponse)(nil), // 5: api.SecureMountResponse
+	nil,                         // 6: api.SecureMountRequest.OptionsEntry
+}
+var file_cdhgrpc_proto_depIdxs = []int32{
+	6, // 0: api.SecureMountRequest.options:type_name -> api.SecureMountRequest.OptionsEntry
+	0, // 1: api.SealedSecretService.UnsealSecret:input_type -> api.UnsealSecretInput
+	2, // 2: api.GetResourceService.GetResource:input_type -> api.GetResourceRequest
+	4, // 3: api.SecureMountService.SecureMount:input_type -> api.SecureMountRequest
+	1, // 4: api.SealedSecretService.UnsealSecret:output_type -> api.UnsealSecretOutput
+	3, // 5: api.GetResourceService.GetResource:output_type -> api.GetResourceResponse
+	5, // 6: api.SecureMountService.SecureMount:output_type -> api.SecureMountResponse
+	4, // [4:7] is the sub-list for method output_type
+	1, // [1:4] is the sub-list for method input_type
+	1, // [1:1] is the sub-list for extension type_name
+	1, // [1:1] is the sub-list for extension extendee
+	0, // [0:1] is the sub-list for field type_name
+}
+
+func init() { file_cdhgrpc_proto_init() }
+func file_cdhgrpc_proto_init() {
+	if File_cdhgrpc_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_cdhgrpc_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*UnsealSecretInput); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_cdhgrpc_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*UnsealSecretOutput); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_cdhgrpc_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetResourceRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_cdhgrpc_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetResourceResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_cdhgrpc_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SecureMountRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_cdhgrpc_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SecureMountResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_cdhgrpc_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   7,
+			NumExtensions: 0,
+			NumServices:   3,
+		},
+		GoTypes:           file_cdhgrpc_proto_goTypes,
+		DependencyIndexes: file_cdhgrpc_proto_depIdxs,
+		MessageInfos:      file_cdhgrpc_proto_msgTypes,
+	}.Build()
+	File_cdhgrpc_proto = out.File
+	file_cdhgrpc_proto_rawDesc = nil
+	file_cdhgrpc_proto_goTypes = nil
+	file_cdhgrpc_proto_depIdxs = nil
+}
diff --git a/confidential-data-hub/golang/pkg/api/cdhgrpc/cdhgrpc.proto b/confidential-data-hub/golang/pkg/api/cdhgrpc/cdhgrpc.proto
new file mode 100644
index 000000000..2e1d33ddb
--- /dev/null
+++ b/confidential-data-hub/golang/pkg/api/cdhgrpc/cdhgrpc.proto
@@ -0,0 +1,46 @@
+syntax = "proto3";
+
+package api;
+
+option go_package = "github.com/confidential-containers/guest-components/confidential-data-hub/golang/protos/cdhgrpc;cdhgrpc";
+
+message UnsealSecretInput {
+    // The input `secret`` is in the following format
+    // `sealed`.`JWS header`.`JWS body (secret content)`.`signature`
+    bytes secret = 1;
+}
+
+message UnsealSecretOutput {
+    bytes plaintext = 1;
+}
+
+message GetResourceRequest {
+    string ResourcePath = 1;
+}
+
+message GetResourceResponse {
+    bytes Resource = 1;
+}
+
+message SecureMountRequest {
+    string volume_type = 1;
+    map<string, string> options = 2;
+    repeated string flags = 3;
+    string mount_point = 4;
+}
+
+message SecureMountResponse {
+    string mount_path = 1;
+}
+
+service SealedSecretService {
+    rpc UnsealSecret(UnsealSecretInput) returns (UnsealSecretOutput) {};
+}
+
+service GetResourceService {
+    rpc GetResource(GetResourceRequest) returns (GetResourceResponse) {};
+}
+
+service SecureMountService {
+    rpc SecureMount(SecureMountRequest) returns (SecureMountResponse) {};
+}
diff --git a/confidential-data-hub/golang/pkg/api/cdhgrpc/cdhgrpc_grpc.pb.go b/confidential-data-hub/golang/pkg/api/cdhgrpc/cdhgrpc_grpc.pb.go
new file mode 100644
index 000000000..f12bc94cf
--- /dev/null
+++ b/confidential-data-hub/golang/pkg/api/cdhgrpc/cdhgrpc_grpc.pb.go
@@ -0,0 +1,289 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.3.0
+// - protoc             v3.11.4
+// source: cdhgrpc.proto
+
+package cdhgrpc
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+const (
+	SealedSecretService_UnsealSecret_FullMethodName = "/api.SealedSecretService/UnsealSecret"
+)
+
+// SealedSecretServiceClient is the client API for SealedSecretService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type SealedSecretServiceClient interface {
+	UnsealSecret(ctx context.Context, in *UnsealSecretInput, opts ...grpc.CallOption) (*UnsealSecretOutput, error)
+}
+
+type sealedSecretServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewSealedSecretServiceClient(cc grpc.ClientConnInterface) SealedSecretServiceClient {
+	return &sealedSecretServiceClient{cc}
+}
+
+func (c *sealedSecretServiceClient) UnsealSecret(ctx context.Context, in *UnsealSecretInput, opts ...grpc.CallOption) (*UnsealSecretOutput, error) {
+	out := new(UnsealSecretOutput)
+	err := c.cc.Invoke(ctx, SealedSecretService_UnsealSecret_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// SealedSecretServiceServer is the server API for SealedSecretService service.
+// All implementations must embed UnimplementedSealedSecretServiceServer
+// for forward compatibility
+type SealedSecretServiceServer interface {
+	UnsealSecret(context.Context, *UnsealSecretInput) (*UnsealSecretOutput, error)
+	mustEmbedUnimplementedSealedSecretServiceServer()
+}
+
+// UnimplementedSealedSecretServiceServer must be embedded to have forward compatible implementations.
+type UnimplementedSealedSecretServiceServer struct {
+}
+
+func (UnimplementedSealedSecretServiceServer) UnsealSecret(context.Context, *UnsealSecretInput) (*UnsealSecretOutput, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UnsealSecret not implemented")
+}
+func (UnimplementedSealedSecretServiceServer) mustEmbedUnimplementedSealedSecretServiceServer() {}
+
+// UnsafeSealedSecretServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to SealedSecretServiceServer will
+// result in compilation errors.
+type UnsafeSealedSecretServiceServer interface {
+	mustEmbedUnimplementedSealedSecretServiceServer()
+}
+
+func RegisterSealedSecretServiceServer(s grpc.ServiceRegistrar, srv SealedSecretServiceServer) {
+	s.RegisterService(&SealedSecretService_ServiceDesc, srv)
+}
+
+func _SealedSecretService_UnsealSecret_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UnsealSecretInput)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SealedSecretServiceServer).UnsealSecret(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SealedSecretService_UnsealSecret_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SealedSecretServiceServer).UnsealSecret(ctx, req.(*UnsealSecretInput))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// SealedSecretService_ServiceDesc is the grpc.ServiceDesc for SealedSecretService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var SealedSecretService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "api.SealedSecretService",
+	HandlerType: (*SealedSecretServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "UnsealSecret",
+			Handler:    _SealedSecretService_UnsealSecret_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "cdhgrpc.proto",
+}
+
+const (
+	GetResourceService_GetResource_FullMethodName = "/api.GetResourceService/GetResource"
+)
+
+// GetResourceServiceClient is the client API for GetResourceService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type GetResourceServiceClient interface {
+	GetResource(ctx context.Context, in *GetResourceRequest, opts ...grpc.CallOption) (*GetResourceResponse, error)
+}
+
+type getResourceServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewGetResourceServiceClient(cc grpc.ClientConnInterface) GetResourceServiceClient {
+	return &getResourceServiceClient{cc}
+}
+
+func (c *getResourceServiceClient) GetResource(ctx context.Context, in *GetResourceRequest, opts ...grpc.CallOption) (*GetResourceResponse, error) {
+	out := new(GetResourceResponse)
+	err := c.cc.Invoke(ctx, GetResourceService_GetResource_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// GetResourceServiceServer is the server API for GetResourceService service.
+// All implementations must embed UnimplementedGetResourceServiceServer
+// for forward compatibility
+type GetResourceServiceServer interface {
+	GetResource(context.Context, *GetResourceRequest) (*GetResourceResponse, error)
+	mustEmbedUnimplementedGetResourceServiceServer()
+}
+
+// UnimplementedGetResourceServiceServer must be embedded to have forward compatible implementations.
+type UnimplementedGetResourceServiceServer struct {
+}
+
+func (UnimplementedGetResourceServiceServer) GetResource(context.Context, *GetResourceRequest) (*GetResourceResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetResource not implemented")
+}
+func (UnimplementedGetResourceServiceServer) mustEmbedUnimplementedGetResourceServiceServer() {}
+
+// UnsafeGetResourceServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to GetResourceServiceServer will
+// result in compilation errors.
+type UnsafeGetResourceServiceServer interface {
+	mustEmbedUnimplementedGetResourceServiceServer()
+}
+
+func RegisterGetResourceServiceServer(s grpc.ServiceRegistrar, srv GetResourceServiceServer) {
+	s.RegisterService(&GetResourceService_ServiceDesc, srv)
+}
+
+func _GetResourceService_GetResource_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetResourceRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(GetResourceServiceServer).GetResource(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: GetResourceService_GetResource_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(GetResourceServiceServer).GetResource(ctx, req.(*GetResourceRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// GetResourceService_ServiceDesc is the grpc.ServiceDesc for GetResourceService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var GetResourceService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "api.GetResourceService",
+	HandlerType: (*GetResourceServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "GetResource",
+			Handler:    _GetResourceService_GetResource_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "cdhgrpc.proto",
+}
+
+const (
+	SecureMountService_SecureMount_FullMethodName = "/api.SecureMountService/SecureMount"
+)
+
+// SecureMountServiceClient is the client API for SecureMountService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type SecureMountServiceClient interface {
+	SecureMount(ctx context.Context, in *SecureMountRequest, opts ...grpc.CallOption) (*SecureMountResponse, error)
+}
+
+type secureMountServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewSecureMountServiceClient(cc grpc.ClientConnInterface) SecureMountServiceClient {
+	return &secureMountServiceClient{cc}
+}
+
+func (c *secureMountServiceClient) SecureMount(ctx context.Context, in *SecureMountRequest, opts ...grpc.CallOption) (*SecureMountResponse, error) {
+	out := new(SecureMountResponse)
+	err := c.cc.Invoke(ctx, SecureMountService_SecureMount_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// SecureMountServiceServer is the server API for SecureMountService service.
+// All implementations must embed UnimplementedSecureMountServiceServer
+// for forward compatibility
+type SecureMountServiceServer interface {
+	SecureMount(context.Context, *SecureMountRequest) (*SecureMountResponse, error)
+	mustEmbedUnimplementedSecureMountServiceServer()
+}
+
+// UnimplementedSecureMountServiceServer must be embedded to have forward compatible implementations.
+type UnimplementedSecureMountServiceServer struct {
+}
+
+func (UnimplementedSecureMountServiceServer) SecureMount(context.Context, *SecureMountRequest) (*SecureMountResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SecureMount not implemented")
+}
+func (UnimplementedSecureMountServiceServer) mustEmbedUnimplementedSecureMountServiceServer() {}
+
+// UnsafeSecureMountServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to SecureMountServiceServer will
+// result in compilation errors.
+type UnsafeSecureMountServiceServer interface {
+	mustEmbedUnimplementedSecureMountServiceServer()
+}
+
+func RegisterSecureMountServiceServer(s grpc.ServiceRegistrar, srv SecureMountServiceServer) {
+	s.RegisterService(&SecureMountService_ServiceDesc, srv)
+}
+
+func _SecureMountService_SecureMount_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SecureMountRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SecureMountServiceServer).SecureMount(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: SecureMountService_SecureMount_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SecureMountServiceServer).SecureMount(ctx, req.(*SecureMountRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// SecureMountService_ServiceDesc is the grpc.ServiceDesc for SecureMountService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var SecureMountService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "api.SecureMountService",
+	HandlerType: (*SecureMountServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "SecureMount",
+			Handler:    _SecureMountService_SecureMount_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "cdhgrpc.proto",
+}
diff --git a/confidential-data-hub/golang/pkg/api/cdhttrpc/cdhttrpc.pb.go b/confidential-data-hub/golang/pkg/api/cdhttrpc/cdhttrpc.pb.go
new file mode 100644
index 000000000..ccd4b3e36
--- /dev/null
+++ b/confidential-data-hub/golang/pkg/api/cdhttrpc/cdhttrpc.pb.go
@@ -0,0 +1,527 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.30.0
+// 	protoc        v3.11.4
+// source: cdhttrpc.proto
+
+package cdhttrpc
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type UnsealSecretInput struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The input `secret“ is in the following format
+	// `sealed`.`JWS header`.`JWS body (secret content)`.`signature`
+	Secret []byte `protobuf:"bytes,1,opt,name=secret,proto3" json:"secret,omitempty"`
+}
+
+func (x *UnsealSecretInput) Reset() {
+	*x = UnsealSecretInput{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cdhttrpc_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *UnsealSecretInput) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UnsealSecretInput) ProtoMessage() {}
+
+func (x *UnsealSecretInput) ProtoReflect() protoreflect.Message {
+	mi := &file_cdhttrpc_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UnsealSecretInput.ProtoReflect.Descriptor instead.
+func (*UnsealSecretInput) Descriptor() ([]byte, []int) {
+	return file_cdhttrpc_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *UnsealSecretInput) GetSecret() []byte {
+	if x != nil {
+		return x.Secret
+	}
+	return nil
+}
+
+type UnsealSecretOutput struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"`
+}
+
+func (x *UnsealSecretOutput) Reset() {
+	*x = UnsealSecretOutput{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cdhttrpc_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *UnsealSecretOutput) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UnsealSecretOutput) ProtoMessage() {}
+
+func (x *UnsealSecretOutput) ProtoReflect() protoreflect.Message {
+	mi := &file_cdhttrpc_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UnsealSecretOutput.ProtoReflect.Descriptor instead.
+func (*UnsealSecretOutput) Descriptor() ([]byte, []int) {
+	return file_cdhttrpc_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *UnsealSecretOutput) GetPlaintext() []byte {
+	if x != nil {
+		return x.Plaintext
+	}
+	return nil
+}
+
+type GetResourceRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	ResourcePath string `protobuf:"bytes,1,opt,name=ResourcePath,proto3" json:"ResourcePath,omitempty"`
+}
+
+func (x *GetResourceRequest) Reset() {
+	*x = GetResourceRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cdhttrpc_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetResourceRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetResourceRequest) ProtoMessage() {}
+
+func (x *GetResourceRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_cdhttrpc_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetResourceRequest.ProtoReflect.Descriptor instead.
+func (*GetResourceRequest) Descriptor() ([]byte, []int) {
+	return file_cdhttrpc_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *GetResourceRequest) GetResourcePath() string {
+	if x != nil {
+		return x.ResourcePath
+	}
+	return ""
+}
+
+type GetResourceResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Resource []byte `protobuf:"bytes,1,opt,name=Resource,proto3" json:"Resource,omitempty"`
+}
+
+func (x *GetResourceResponse) Reset() {
+	*x = GetResourceResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cdhttrpc_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetResourceResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetResourceResponse) ProtoMessage() {}
+
+func (x *GetResourceResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_cdhttrpc_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetResourceResponse.ProtoReflect.Descriptor instead.
+func (*GetResourceResponse) Descriptor() ([]byte, []int) {
+	return file_cdhttrpc_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *GetResourceResponse) GetResource() []byte {
+	if x != nil {
+		return x.Resource
+	}
+	return nil
+}
+
+type SecureMountRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	VolumeType string            `protobuf:"bytes,1,opt,name=volume_type,json=volumeType,proto3" json:"volume_type,omitempty"`
+	Options    map[string]string `protobuf:"bytes,2,rep,name=options,proto3" json:"options,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Flags      []string          `protobuf:"bytes,3,rep,name=flags,proto3" json:"flags,omitempty"`
+	MountPoint string            `protobuf:"bytes,4,opt,name=mount_point,json=mountPoint,proto3" json:"mount_point,omitempty"`
+}
+
+func (x *SecureMountRequest) Reset() {
+	*x = SecureMountRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cdhttrpc_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SecureMountRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SecureMountRequest) ProtoMessage() {}
+
+func (x *SecureMountRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_cdhttrpc_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SecureMountRequest.ProtoReflect.Descriptor instead.
+func (*SecureMountRequest) Descriptor() ([]byte, []int) {
+	return file_cdhttrpc_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *SecureMountRequest) GetVolumeType() string {
+	if x != nil {
+		return x.VolumeType
+	}
+	return ""
+}
+
+func (x *SecureMountRequest) GetOptions() map[string]string {
+	if x != nil {
+		return x.Options
+	}
+	return nil
+}
+
+func (x *SecureMountRequest) GetFlags() []string {
+	if x != nil {
+		return x.Flags
+	}
+	return nil
+}
+
+func (x *SecureMountRequest) GetMountPoint() string {
+	if x != nil {
+		return x.MountPoint
+	}
+	return ""
+}
+
+type SecureMountResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	MountPath string `protobuf:"bytes,1,opt,name=mount_path,json=mountPath,proto3" json:"mount_path,omitempty"`
+}
+
+func (x *SecureMountResponse) Reset() {
+	*x = SecureMountResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cdhttrpc_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SecureMountResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SecureMountResponse) ProtoMessage() {}
+
+func (x *SecureMountResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_cdhttrpc_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SecureMountResponse.ProtoReflect.Descriptor instead.
+func (*SecureMountResponse) Descriptor() ([]byte, []int) {
+	return file_cdhttrpc_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *SecureMountResponse) GetMountPath() string {
+	if x != nil {
+		return x.MountPath
+	}
+	return ""
+}
+
+var File_cdhttrpc_proto protoreflect.FileDescriptor
+
+var file_cdhttrpc_proto_rawDesc = []byte{
+	0x0a, 0x0e, 0x63, 0x64, 0x68, 0x74, 0x74, 0x72, 0x70, 0x63, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x12, 0x03, 0x61, 0x70, 0x69, 0x22, 0x2b, 0x0a, 0x11, 0x55, 0x6e, 0x73, 0x65, 0x61, 0x6c, 0x53,
+	0x65, 0x63, 0x72, 0x65, 0x74, 0x49, 0x6e, 0x70, 0x75, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65,
+	0x63, 0x72, 0x65, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x06, 0x73, 0x65, 0x63, 0x72,
+	0x65, 0x74, 0x22, 0x32, 0x0a, 0x12, 0x55, 0x6e, 0x73, 0x65, 0x61, 0x6c, 0x53, 0x65, 0x63, 0x72,
+	0x65, 0x74, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x70, 0x6c, 0x61, 0x69,
+	0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x6c, 0x61,
+	0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x22, 0x38, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x52, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x22, 0x0a, 0x0c,
+	0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x50, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x0c, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x50, 0x61, 0x74, 0x68,
+	0x22, 0x31, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x52, 0x65, 0x73, 0x6f, 0x75,
+	0x72, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x52, 0x65, 0x73, 0x6f, 0x75,
+	0x72, 0x63, 0x65, 0x22, 0xe8, 0x01, 0x0a, 0x12, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x4d, 0x6f,
+	0x75, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x76, 0x6f,
+	0x6c, 0x75, 0x6d, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0a, 0x76, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x3e, 0x0a, 0x07, 0x6f,
+	0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x61,
+	0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74,
+	0x72, 0x79, 0x52, 0x07, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x66,
+	0x6c, 0x61, 0x67, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x05, 0x66, 0x6c, 0x61, 0x67,
+	0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x70, 0x6f, 0x69, 0x6e, 0x74,
+	0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x50, 0x6f, 0x69,
+	0x6e, 0x74, 0x1a, 0x3a, 0x0a, 0x0c, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74,
+	0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x34,
+	0x0a, 0x13, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x5f, 0x70,
+	0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, 0x6f, 0x75, 0x6e, 0x74,
+	0x50, 0x61, 0x74, 0x68, 0x32, 0x58, 0x0a, 0x13, 0x53, 0x65, 0x61, 0x6c, 0x65, 0x64, 0x53, 0x65,
+	0x63, 0x72, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x41, 0x0a, 0x0c, 0x55,
+	0x6e, 0x73, 0x65, 0x61, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x16, 0x2e, 0x61, 0x70,
+	0x69, 0x2e, 0x55, 0x6e, 0x73, 0x65, 0x61, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x49, 0x6e,
+	0x70, 0x75, 0x74, 0x1a, 0x17, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x55, 0x6e, 0x73, 0x65, 0x61, 0x6c,
+	0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x22, 0x00, 0x32, 0x58,
+	0x0a, 0x12, 0x47, 0x65, 0x74, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x53, 0x65, 0x72,
+	0x76, 0x69, 0x63, 0x65, 0x12, 0x42, 0x0a, 0x0b, 0x47, 0x65, 0x74, 0x52, 0x65, 0x73, 0x6f, 0x75,
+	0x72, 0x63, 0x65, 0x12, 0x17, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x18, 0x2e, 0x61,
+	0x70, 0x69, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x32, 0x58, 0x0a, 0x12, 0x53, 0x65, 0x63, 0x75,
+	0x72, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x42,
+	0x0a, 0x0b, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x17, 0x2e,
+	0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x18, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x53, 0x65, 0x63,
+	0x75, 0x72, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x22, 0x00, 0x42, 0x6b, 0x5a, 0x69, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
+	0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x2d, 0x63, 0x6f,
+	0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x73, 0x2f, 0x67, 0x75, 0x65, 0x73, 0x74, 0x2d, 0x63,
+	0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64,
+	0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x2d, 0x64, 0x61, 0x74, 0x61, 0x2d, 0x68, 0x75, 0x62, 0x2f,
+	0x67, 0x6f, 0x6c, 0x61, 0x6e, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x73, 0x2f, 0x63, 0x64,
+	0x68, 0x74, 0x74, 0x72, 0x70, 0x63, 0x3b, 0x63, 0x64, 0x68, 0x74, 0x74, 0x72, 0x70, 0x63, 0x62,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_cdhttrpc_proto_rawDescOnce sync.Once
+	file_cdhttrpc_proto_rawDescData = file_cdhttrpc_proto_rawDesc
+)
+
+func file_cdhttrpc_proto_rawDescGZIP() []byte {
+	file_cdhttrpc_proto_rawDescOnce.Do(func() {
+		file_cdhttrpc_proto_rawDescData = protoimpl.X.CompressGZIP(file_cdhttrpc_proto_rawDescData)
+	})
+	return file_cdhttrpc_proto_rawDescData
+}
+
+var file_cdhttrpc_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var file_cdhttrpc_proto_goTypes = []interface{}{
+	(*UnsealSecretInput)(nil),   // 0: api.UnsealSecretInput
+	(*UnsealSecretOutput)(nil),  // 1: api.UnsealSecretOutput
+	(*GetResourceRequest)(nil),  // 2: api.GetResourceRequest
+	(*GetResourceResponse)(nil), // 3: api.GetResourceResponse
+	(*SecureMountRequest)(nil),  // 4: api.SecureMountRequest
+	(*SecureMountResponse)(nil), // 5: api.SecureMountResponse
+	nil,                         // 6: api.SecureMountRequest.OptionsEntry
+}
+var file_cdhttrpc_proto_depIdxs = []int32{
+	6, // 0: api.SecureMountRequest.options:type_name -> api.SecureMountRequest.OptionsEntry
+	0, // 1: api.SealedSecretService.UnsealSecret:input_type -> api.UnsealSecretInput
+	2, // 2: api.GetResourceService.GetResource:input_type -> api.GetResourceRequest
+	4, // 3: api.SecureMountService.SecureMount:input_type -> api.SecureMountRequest
+	1, // 4: api.SealedSecretService.UnsealSecret:output_type -> api.UnsealSecretOutput
+	3, // 5: api.GetResourceService.GetResource:output_type -> api.GetResourceResponse
+	5, // 6: api.SecureMountService.SecureMount:output_type -> api.SecureMountResponse
+	4, // [4:7] is the sub-list for method output_type
+	1, // [1:4] is the sub-list for method input_type
+	1, // [1:1] is the sub-list for extension type_name
+	1, // [1:1] is the sub-list for extension extendee
+	0, // [0:1] is the sub-list for field type_name
+}
+
+func init() { file_cdhttrpc_proto_init() }
+func file_cdhttrpc_proto_init() {
+	if File_cdhttrpc_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_cdhttrpc_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*UnsealSecretInput); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_cdhttrpc_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*UnsealSecretOutput); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_cdhttrpc_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetResourceRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_cdhttrpc_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetResourceResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_cdhttrpc_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SecureMountRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_cdhttrpc_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SecureMountResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_cdhttrpc_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   7,
+			NumExtensions: 0,
+			NumServices:   3,
+		},
+		GoTypes:           file_cdhttrpc_proto_goTypes,
+		DependencyIndexes: file_cdhttrpc_proto_depIdxs,
+		MessageInfos:      file_cdhttrpc_proto_msgTypes,
+	}.Build()
+	File_cdhttrpc_proto = out.File
+	file_cdhttrpc_proto_rawDesc = nil
+	file_cdhttrpc_proto_goTypes = nil
+	file_cdhttrpc_proto_depIdxs = nil
+}
diff --git a/confidential-data-hub/golang/pkg/api/cdhttrpc/cdhttrpc.proto b/confidential-data-hub/golang/pkg/api/cdhttrpc/cdhttrpc.proto
new file mode 100644
index 000000000..4918c333f
--- /dev/null
+++ b/confidential-data-hub/golang/pkg/api/cdhttrpc/cdhttrpc.proto
@@ -0,0 +1,47 @@
+syntax = "proto3";
+
+package api;
+
+option go_package = "github.com/confidential-containers/guest-components/confidential-data-hub/golang/protos/cdhttrpc;cdhttrpc";
+
+message UnsealSecretInput {
+    // The input `secret`` is in the following format
+    // `sealed`.`JWS header`.`JWS body (secret content)`.`signature`
+    bytes secret = 1;
+}
+
+message UnsealSecretOutput {
+    bytes plaintext = 1;
+}
+
+message GetResourceRequest {
+    string ResourcePath = 1;
+}
+
+message GetResourceResponse {
+    bytes Resource = 1;
+}
+
+message SecureMountRequest {
+    string volume_type = 1;
+    map<string, string> options = 2;
+    repeated string flags = 3;
+    string mount_point = 4;
+}
+
+message SecureMountResponse {
+    string mount_path = 1;
+}
+
+service SealedSecretService {
+    rpc UnsealSecret(UnsealSecretInput) returns (UnsealSecretOutput) {};
+}
+
+service GetResourceService {
+    rpc GetResource(GetResourceRequest) returns (GetResourceResponse) {};
+}
+
+service SecureMountService {
+    rpc SecureMount(SecureMountRequest) returns (SecureMountResponse) {};
+}
+
diff --git a/confidential-data-hub/golang/pkg/api/cdhttrpc/cdhttrpc_ttrpc.pb.go b/confidential-data-hub/golang/pkg/api/cdhttrpc/cdhttrpc_ttrpc.pb.go
new file mode 100644
index 000000000..948fe01e7
--- /dev/null
+++ b/confidential-data-hub/golang/pkg/api/cdhttrpc/cdhttrpc_ttrpc.pb.go
@@ -0,0 +1,116 @@
+// Code generated by protoc-gen-go-ttrpc. DO NOT EDIT.
+// source: cdhttrpc.proto
+package cdhttrpc
+
+import (
+	context "context"
+	ttrpc "github.com/containerd/ttrpc"
+)
+
+type SealedSecretServiceService interface {
+	UnsealSecret(context.Context, *UnsealSecretInput) (*UnsealSecretOutput, error)
+}
+
+func RegisterSealedSecretServiceService(srv *ttrpc.Server, svc SealedSecretServiceService) {
+	srv.RegisterService("api.SealedSecretService", &ttrpc.ServiceDesc{
+		Methods: map[string]ttrpc.Method{
+			"UnsealSecret": func(ctx context.Context, unmarshal func(interface{}) error) (interface{}, error) {
+				var req UnsealSecretInput
+				if err := unmarshal(&req); err != nil {
+					return nil, err
+				}
+				return svc.UnsealSecret(ctx, &req)
+			},
+		},
+	})
+}
+
+type sealedsecretserviceClient struct {
+	client *ttrpc.Client
+}
+
+func NewSealedSecretServiceClient(client *ttrpc.Client) SealedSecretServiceService {
+	return &sealedsecretserviceClient{
+		client: client,
+	}
+}
+
+func (c *sealedsecretserviceClient) UnsealSecret(ctx context.Context, req *UnsealSecretInput) (*UnsealSecretOutput, error) {
+	var resp UnsealSecretOutput
+	if err := c.client.Call(ctx, "api.SealedSecretService", "UnsealSecret", req, &resp); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+type GetResourceServiceService interface {
+	GetResource(context.Context, *GetResourceRequest) (*GetResourceResponse, error)
+}
+
+func RegisterGetResourceServiceService(srv *ttrpc.Server, svc GetResourceServiceService) {
+	srv.RegisterService("api.GetResourceService", &ttrpc.ServiceDesc{
+		Methods: map[string]ttrpc.Method{
+			"GetResource": func(ctx context.Context, unmarshal func(interface{}) error) (interface{}, error) {
+				var req GetResourceRequest
+				if err := unmarshal(&req); err != nil {
+					return nil, err
+				}
+				return svc.GetResource(ctx, &req)
+			},
+		},
+	})
+}
+
+type getresourceserviceClient struct {
+	client *ttrpc.Client
+}
+
+func NewGetResourceServiceClient(client *ttrpc.Client) GetResourceServiceService {
+	return &getresourceserviceClient{
+		client: client,
+	}
+}
+
+func (c *getresourceserviceClient) GetResource(ctx context.Context, req *GetResourceRequest) (*GetResourceResponse, error) {
+	var resp GetResourceResponse
+	if err := c.client.Call(ctx, "api.GetResourceService", "GetResource", req, &resp); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}
+
+type SecureMountServiceService interface {
+	SecureMount(context.Context, *SecureMountRequest) (*SecureMountResponse, error)
+}
+
+func RegisterSecureMountServiceService(srv *ttrpc.Server, svc SecureMountServiceService) {
+	srv.RegisterService("api.SecureMountService", &ttrpc.ServiceDesc{
+		Methods: map[string]ttrpc.Method{
+			"SecureMount": func(ctx context.Context, unmarshal func(interface{}) error) (interface{}, error) {
+				var req SecureMountRequest
+				if err := unmarshal(&req); err != nil {
+					return nil, err
+				}
+				return svc.SecureMount(ctx, &req)
+			},
+		},
+	})
+}
+
+type securemountserviceClient struct {
+	client *ttrpc.Client
+}
+
+func NewSecureMountServiceClient(client *ttrpc.Client) SecureMountServiceService {
+	return &securemountserviceClient{
+		client: client,
+	}
+}
+
+func (c *securemountserviceClient) SecureMount(ctx context.Context, req *SecureMountRequest) (*SecureMountResponse, error) {
+	var resp SecureMountResponse
+	if err := c.client.Call(ctx, "api.SecureMountService", "SecureMount", req, &resp); err != nil {
+		return nil, err
+	}
+	return &resp, nil
+}