toc

Cages

Process encrypted data.

Cages are serverless functions hosted on Evervault for processing the data you encrypt with Relay or our SDKs. You can use Cages to isolate your Node.js code that processes sensitive data from the rest of your stack.

You can write and deploy any serverless function to a Cage. At present, Cages can only be written in Node.js. You can call and run a Cage with any language that can send HTTPS requests.

Coming soon - deploy Docker Containers as Cages for machine learning, resource-intensive apps or services, and worker processes.

Use Cases

You can deploy any Node.js code as a Cage to process data in whichever way you need.

  • Serverless functions. Cages are serverless functions, so you can deploy any code you would to other serverless function services — like AWS Lambda, Firebase Functions, Azure Functions, Cloudflare Workers etc. The core difference being that you never touch sensitive data in plaintext.
  • Machine learning. Deploy your machine learning model as a Cage, send it the data you encrypt with Relay, and get the result.
  • Document generation. Encrypt & store identity data (like addresses and social security numbers), generate a document in a Cage, and send to a third-party direct mail API like Lob.
  • API authorization. Encrypt your users' credentials for third-party services using Relay, and authorize with those services by running a headless browser in, or calling an API from, a Cage.

Deploy your Cage

You can deploy a Cage by connecting to a GitHub repository (see below) or using the Evervault CLI.

Evervault Dashboard → Create Cage

In the Evervault Dashboard:

  1. Click New Cage
  2. Select Choose Template
  3. Authenticate with GitHub if you haven’t already
  4. Install the Evervault app on GitHub
  5. Select a template Cage
  6. Create your Cage

Run your Cage

Automatically run your Cage code by passing the Cage name and the payload into the evervault.run() function. Or, send an HTTPS POST request with a JSON payload and API-Key header to https://run.evervault.com/cage-name.

Cages can currently only be called server-side because they require your team's API key for authentication.

  • Node.js
  • Python
javascript
// `encryptedData` must be an Object
const result = await evervault.run('YOUR-CAGE-NAME', encryptedData);

Run your application to see the result. Return the result to the client via your server, or forward it to a third party API via an HTTP request. All outbound HTTP requests are logged, and are shown in your team's Dashboard.

The Node.js SDK is pre-initialized in all Cages as the globally-scoped evervault object. This allows you to encrypt the result, and store it in your database.


Update your Cage

If you do a push to your GitHub repo, Evervault will automatically update your Cage code. If you choose to deploy with the Evervault CLI, use the ev cage deploy command to update your Cage code.

Cages which take a long time to run can also be run asynchronously by providing an `x-async: true` header. Execution time is limited to 15 minutes.

We know that you will never want slower requests, so we are always reducing the cumulative network and runtime latency of Cages (and all other Evervault services).


Cages FAQ

Below you'll find questions related to processing encrypted data.

What is an Evervault Cage?

Cages are secure serverless functions for processing encrypted data. They're isolated from your stack, and hosted on Evervault. You can write and deploy any serverless function written in Node.js to a Cage.

What languages do Cages support?

At present, Cages can only be written in Node.js. Expanding language support is on our product roadmap, and we're actively rolling out other languages/frameworks. If there's a specific language you'd like us to support, let us know.

What are the resource limits of Cages?

Cages currently have a maximum memory consumption of 1024MB. This can be increased to 3008MB on request. They currently have 1 available CPU core and this can also be increased to 2 cores on request.

What is the maximum execution time of a Cage?

Cages currently have a maximum of 30 seconds execution time as a result of their request-response serverless architecture. By passing an X-Async header to the Cage Run endpoint or by passing async: true as an option to the Cage Run functions in our SDKs, you can run Cages for up to 15 minutes as a background job. Cages running in async mode will not return a response and all function output must be explicitly passed from the Cage to another endpoint.

How scalable are Cages?

Cages will scale automatically to many thousands of requests per second without a noticeable drop in throughput or latency. We are actively improving Cage latency and scalability for more intense workloads and see this as a core priority for our product roadmap.

Is there a way to verify that Evervault does not have access to the plaintext data?

Evervault does not store encrypted data, and data only exists ephemerally on our infrastructure during a Cage run. Our product roadmap includes a remote attestation feature which will verify that code running inside a Cage matches the expected code, removing the risk of malicious code within Cages or on Evervault’s infrastructure.

Can I send requests to external APIs from a Cage?

Evervault has an API Whitelist feature which lets you create a list of external APIs that your Cage can send requests to. By default, Cages can send requests to any third-party API. When sending data to a third-party API via your Cage, Evervault ensures that the destination API is included in your API Whitelist (if provided).

By adding a domain name to the API Whitelist in the Dashboard, your Cage will only have network access to the APIs you specify.

Can I deploy Cages in CI pipelines?

Yes. The steps are as follows:

  • Set the EV_API_KEY environment variable to your team's API key.
  • Install the Evervault CLI.
  • Run ev cage deploy --api-key-auth in the directory of your Cage's source code.