Evervault Enclaves

Evervault Enclaves are the easiest way to build, deploy and scale Secure Enclaves.

Evervault Enclaves allow developers to easily deploy Docker containers in a Secure Enclave, powered by AWS Nitro Enclaves. Enclaves offer easy deployment, invocation and attestation of Secure Enclaves without the engineering overhead.

This repo consists of two components: the runtime which is run inside the Secure Enclave (the "data plane") and the code used for proxying network traffic and initializing the enclave (the "control plane").

Notice on Open Source Status of this project

The Evervault Enclaves product is open source with the aim of providing transparency to users — this is vital given that our process runs in the enclave, and is accounted for in the attestation.

The current state of this project does not allow for self-hosting. We plan on addressing this by abstracting away the Evervault-specific elements of the Enclaves product.

Steps to get Enclaves running in local dev (macOSarm64)

Add a .cargo directory to the project root, and create a .cargo/config.toml containing the following:

[target.x86_64-unknown-linux-musl]
linker = "x86_64-linux-musl-gcc"

If you're using vscode you may want to append a check target to your workspace settings

.vscode/settings.json

{
	"rust-analyzer.check.targets": "x86_64-unknown-linux-musl"
}

Install the required packages for cross compilation:

brew tap SergioBenitez/osxct
brew install FiloSottile/musl-cross/musl-cross # don't be alarmed if this takes a while https://github.com/FiloSottile/homebrew-musl-cross/issues/15
rustup target add x86_64-unknown-linux-musl
ln -s $(which x86_64-linux-musl-gcc) /usr/local/bin/musl-gcc

Generate a cert and key for the data-plane:

# install mkcert as a trusted CA
mkcert -install

mkcert data-plane.localhost

Generate test certs:

./e2e-tests/mtls-testing-certs/ca/generate-certs.sh

Generate the Root and Intermediate CA for cert provisioning in tests:

sh ./e2e-tests/generate-sample-ca.sh

Generate certs for TLS in the mock API:

mkdir e2e-tests/testing-certs && mkcd e2e-tests/testing-certs
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./testing.key -out testing.crt

Source export-dev-env-vars.sh to set certs as environment variables:

source ./scripts/export-dev-env-vars.sh

Compile:

cargo build --release --target x86_64-unknown-linux-musl --features network_egress

Compile the mock crypto crate:

pushd e2e-tests/mock-crypto && cargo build --release --target x86_64-unknown-linux-musl && popd

Build and run docker containers:

docker compose build
docker compose up

Test it out:

curl https://enclave.localhost:443/encrypt -k -H 'api-key: placeholder' --data '{"hello": "world"}' -H "Content-Type: application/json"

Feature flags

By default, the data plane and control plane will be compiled and run without network egress from the enclave.

cargo run

The data plane and control plane can be compiled and run with network egress support using the network_egress feature flag.

cargo run --features network_egress

To build with the enclave feature flag, you will have to specify the target:

sudo cargo clippy --features enclave --target x86_64-unknown-linux-musl

You may need to install musl-cross (Note: this will take a while, ~30+ minutes):

brew install FiloSottile/musl-cross/musl-cross

You will also need the x86_64-unknown-linux-musl target:

rustup target add x86_64-unknown-linux-musl

Query Local DNS Server

The enclave DNS forwarder is listening on 53. To test lookup from data plane -> control plane -> remote DNS server use the following command:

dig evervault.com @127.0.0.1

Run end-to-end tests

sh e2e-tests/run.sh

The mock crypto API depends on a (currently private) Rust crate. We plan on making this crate available in future. Until then, the project will be able to build and run the E2E tests in CI.