Evervault Functions are secure serverless functions which allow you to process data encrypted with Evervault Encryption.
When you pass encrypted data to a Function, it is automatically decrypted by the Function’s runtime. You can then process this data by running custom logic written in Node.js or Python as you normally would, but without ever handling it in plaintext on your infrastructure.
For more complex processes, processes requiring more compute resources, or processes that have longer running times, check out Evervault Enclaves — the easiest way to build, deploy and scale Secure Enclaves.
The quickest way to deploy your first Evervault Function is by signing into the Evervault Dashboard and creating a starter template Function by connecting your GitHub account.
- Sign in to the Evervault Dashboard
- Create or open an App and navigate to the Functions tab
- Click Create Function
- Select "Choose template"
- Authenticate with GitHub
- Select a starter template and deploy your Function
Alternatively, if you have Function code ready in a GitHub repository which you would like to deploy, you can select "Import repository" at Step 4 above. Note that in this case the repo must contain a function.toml file.
Deployment failures often occur due to issues with the function.toml, package.json, or requirements.txt files. To prevent such failures, verify that these files are present or do not contain any invalid syntax.
Evervault Functions are configured using a
function.toml configuration file which can be committed to source control. Simply provide a
function.toml file in the root of your repository and Evervault will automatically include it at build time.
The format of a
function.toml is as follows:
When you deploy a Function to Evervault, we will locate your
package-lock.json (for Node.js) and
requirements.txt file (for Python) and install any non-development dependencies.
For Node.js Functions, if a
node_modules folder is included then dependency installation will be skipped; this can be used to include private dependencies.
If there are any issues with your dependencies, for example if you have missed one in your
package.json, an InitializationError will be thrown.
Environment Variables for a Function can be configured using either the Evervault Dashboard or CLI. Secrets can be encrypted on creation and will be made available to your Function handler in plaintext on startup.
Secrets are available in plaintext in the Function handler, but will be in their encrypted form when accessed from anywhere else within the Function.
An encrypt function is available within your Function and can be accessed through the context parameter. This allows you to encrypt data in your response using your App’s keys.
The below examples demonstrate how to use the encrypt Function in Node and Python.
In each of the examples above, we have used an API Key for authentication. However, these API Keys are sensitive and should not be used client-side. When invoking Functions from frontend applications, we recommend using a Run Token.
Run Tokens are single use, time bound tokens for invoking an Evervault Function with a given payload. Run Tokens will only last for 5 minutes and must be used with the same payload that was used to create the Run Token.
Once created, Run Tokens can be used to invoke an Evervault Function client-side without providing a sensitive API Key.
The response from a Function run request will contain an
id and a
status field. The
id is a unique identifier for this Function invocation which can be used to search for the invocation in the Function's Activity log. The
status field will be either
failure, depending on whether the function completed successfully or not.
On a successful run, any payload returned from the Function will be contained within the
result of the response object.
If there is a failure in the course of a Function run, the response will contain an error object with a
stack field. The
message field will contain a human readable error message, and the
stack field will contain a stack trace of the error.
If there is an error during the initialization of your Function, for example if there's a syntax error or a dependency is not included in the
package.json, the response will contain an error object with a
stack field as follows:
Evervault Functions have a maximum memory consumption of
1024MB, 2 available CPU cores and
512MB of ephemeral filesystem storage. However, using ephemeral storage is not recommended for sensitive data, as it cannot be guaranteed that data won't be available to a future invocation — increasing the risk of an accidental data leak.
If you require more memory or CPU cores, check out Evervault Enclaves — the easiest way to build, deploy and scale Secure Enclaves.
Evervault Functions currently have a default execution time of 30 seconds. This can be increased to a maximum of 55 seconds by setting the
timeout in the function.toml.
Evervault Functions scale automatically to many thousands of requests per second without a noticeable drop in throughput or latency.
By default, Functions will respond to requests invoked from any client with a valid Evervault API key or Run Token. By adding an IP address to the Inbound Whitelist in the Dashboard, your Function will only be invoked when a request is made from a whitelisted IP address.
By default, Functions can send requests to any third-party endpoint.By adding a domain name to the Outbound Whitelist in the Dashboard, your Function will only have network access to the hostnames you specify.