Enclaves FAQ

How does attestation work with Enclaves?

Evervault Enclaves abstract away the complexity of implementing and verifying attestation with your Secure Enclaves. Enclaves embed the attestation flow in the TLS handshake, which is performed every time you invoke a Enclave.

TLS Attestation

When you connect to a Enclave, your client performs a standard TLS handshake with the enclave. Evervault automatically handles all load balancing between enclaves at the network layer.

Each Enclave generates a TLS Certificate signed by a Trusted CA on start up. When an Evervault client is connecting to the Enclave, it loads an Attestation Document through the publicly available /.well-known/attestation endpoint. The returned Attestation Document contains the public key of the Enclave's certificate. This relationship between the TLS Certificate and the Attestation Document is used to attest subsequent connections.

Further information on our Attestation protocol can be found here.

Are Enclaves Open Source?

Yes, both the Enclaves runtime itself, and the core logic for our attestation protocol are open source.

How large can an Enclave be?

The current limit for Enclaves is 16 vCPUs and 64 gigabytes of RAM. For trial usage, Enclaves are capped at 4 vCPUs and 16 gigabytes of RAM.

Enclaves use a RAM-based filesystem. This means that the memory allocated to your Enclave is used for both storage and RAM.

Enclaves and Evervault Encryption

Evervault Enclaves allow you to process data encrypted using Evervault Encryption. By default, TLS termination is handled automatically within your Enclave, and encrypted data is automatically decrypted before it is passed to your application.

Can I run an Enclave on my own infrastructure?

Evervault Enclaves are managed and run by Evervault on our infrastructure. A major advantage of using Enclaves is that the burden of hosting and scaling all of the infrastructure necessary to run Secure Enclaves is handled by Evervault.

Evervault running your Enclaves doesn't weaken the security guarantees provided by Secure Enclaves, thanks to attestation. You are still provided with the attestation measure at build-time and can verify that these haven't been tampered with — all within the TLS handshake.

Can I run multiple instances of an Enclave?

Yes! The number of instances an Enclave runs on can be configured using the desired_replicas option in the enclave.toml. The EC2 instances running the Enclave will be split between two Availability Zones in a region for greater resiliency.

During the trial period, Enclaves run as a single instance. During this time, deployments will result in downtime.

Can I restart my Enclave?

Enclaves can be restarted from either the "Versions" tab in the Enclaves Dashboard or by using the CLI.

Why does my Enclave perform decrypt requests on start-up?

Enclaves order a trusted TLS certificate on their first deployment. The private key is encrypted in the Enclave, and backed-up so it can be loaded in on every subsequent start-up. As a result, when each instance of the Enclave launches, they perform a single decrypt request to load in their private key in plaintext.

Enclaves Trial

All accounts are enrolled in an Trial which starts when you deploy your first Enclave. The terms of the trial are given below.

How long is the trial program?

Starting from the day you deploy your first Enclave, you will have full access to the Evervault Platform (free plan) and Enclaves for 14 days, so you can try building and deploying Enclaves. After that period, you’ll have the option to sign up for monthly pricing to continue testing.

If you’re unsure how long you have — you can always check the countdown timer in your Evervault Dashboard to see how much time is left in the allotment. If you need to adjust the timing or have any questions regarding the trial, feel free to reach out to our team.

How many Enclaves can I create?

During the 14 day trial period, a team can run one Enclave. Enclaves will run as a single instance which may cause downtime for deployments, however this is only for your trial period.

Following initial trial — If you upgrade to a paid plan and start using Enclaves in production, we will provide multiple instances with high availability and zero downtime deployments.

What happens during the trial?

You can play around with Enclaves to see if it fits your use-case, free of charge! Start here if you’re not sure where to get started.

We would love to know more about the use cases you are building for, any errors or bugs you encounter, and any feedback you have.

What happens after the trial?

At the end of the 14-day period, we’ll notify you that your trial access has ended, and any active Enclaves will be deactivated.

Once deactivated, you will no longer be able to send requests to your Enclave but it will remain visible in the Evervault dashboard. If at any time you’d like to continue using Enclaves, you can easily upgrade to a paid plan and we will restart your Enclave instances.

Upgrading to the paid plan will give you access to all of the Evervault Pro features and allow you to run multiple Enclave instances with high availability and zero downtime deployments.

Other questions?

If anything comes up during the trial, please send us an email at support@evervault.com, and we’ll get back to you as soon as possible.