Skip to main content


Oblivious client CLI is responsible for;

  1. Establishing a secure connection to an enclave.
  2. Verification of the enclave.
  3. Encrypting and forwarding client application requests to the enclave.

Setting up a connection to the enclave involves sending a client hello message via HTTPS secure channel to an enclave with an auth header used for verification. On verification of the client, the enclave responds with an attestation document that is a signed document of the hash of the enclave environment.

An encrypted symmetric key is sent as part of attestation document, which the client CLI decrypts and uses for encrypting future requests from client applications, providing end-to-end data encryption.

Once a connection is established the client applications running on the user's device have a secure communication channel established to the enclave. This is achieved by having a reverse proxy running on the client that listens to the localhost on a particular port for any requests from the client applications.

Once a request is received, the payload is encrypted along with the shared symmetric key, and the request is sent with an auth header.

Currently, the CLI is available for 3 OS platforms: Mac, Linux, and Windows.