Skip to main content

Deploy & Connect

You've now built a server, given it all of the meta data to be a service and are ready to launch it. All that we need to do from here is to ask our user for their preshared key and to launch the enclave. The steps below are:

  1. User creates a public private key pair and shares with the enclave provider.
  2. The enclave is launched.
  3. User connects to the enclave.

User creates a public/private key pair

Users can download the enclave proxy from here. Once downloaded for their appropriate operating system, they can generate a public/private key pair using keygen command as described here. Please refer to the Usage Examples section for examples on generating keys for different platforms. Once generated, the Public key in base64 format string is what they will share with the enclave provider:

The enclave is launched

We are at the final step to launch the enclave. In the console, on the Services tab, search and find your my-first-oblivious-app service and hit the launch button as highlighted:

Service Console Screenshot

We need to select some final build arguments and details of in which region we would like to launch the service. In the first form we can simply specify:

Deployment Name: my-first-deployment
Region Name: eu-west-2, Europe (London)
Visibility Type: Private (so only you can see it in your deployments)
Environment Type: Production
Tags: Test

When you confirm the above and move to the next page of the form, simply add the user name to the querier and add their provided base64 Public key (we can use the smallest/cheapest infrastructure option):

user_name: Mr & Mrs Test User
public key: MIIBCgKCAQEAyRJghHhr6gmkc/mACQz6no8IfVvR/ngZNegJLlJDN9YHOyvBmErcBFmf8yOVK8u5I4iAJCl/GJCgZ9HMMTzkcCVtIj0F/vvVLpPiAs0n9siEiHqBcUIePhD11M4xOIxz/auwPvysxW2EJ79WNr7BSVh/4PsbEmvBBCEnwj8f2bOZ7hOnqv0wsvcBaYZlOJqf8rADZUIH45/KNOmdOMuhwg3AKvohn2lYPtqLLq2G44eSjbB9Xn09SWWlWZKKgor5FypRAdcO79W1ZCvUT4auLajGiXeLyOKfgJdy9e4FnX8F1qsSdA84IN9tlG88qtTsMK41jkDxOVrqCPsyGttGAQIDAQAB%
infra-reqs: CPU:4 RAM: 8GM

And you are done - hit launch and sit back while your infrastructure is being set up. This can take approximately 5 minutes.

User connects to the enclave

From the Deployments tab, you should now be able to see your service. Click on the share icon as highlighted below:

Share Screenshot

You can share with others and yourself by adding their usernames and roles accordingly. Everyone who you share the service with will see the details in the Find & Connect tab.


Sharing an enclave with users does not give them access to the enclave service, it simply makes it visible in their Find & Connect tab. Users still have to connect to the enclave with their public/private key pair or alternative credentials.

Find & Connect Screenshot

By clicking on the Connect button in the Find & Connect tab, we see details of the enclave service currently running. In the steps to connect, it specifies how to connect to the service using the oblv proxy cli. All the user has to do is to replace the public private key pair details with the keys they previously created.

oblv connect \
--pcr0 7ae48a6f5643cd31c9dd8e6f7557e16439efb33f78538ac0760a57c7c36bfb0979044a6df15e308e6bb21ee4187f4c7e \
--pcr1 5c01976a546ec6b740353189afd3bf5fe29df96328887111e7c802cf2ff5ad636deed2ab8254e7a51a45fca01d0ae062 \
--pcr2 05073f36c36df2ac8bc796ef1f1fcd97f2965aaeea71db56e6dfe6d6cfe51b75e3d10d3b4087cf4589fdc98d03bf4781 \
--private-key "<path to keys>/test_private.der" \
--public-key "<path to keys>/test_public.der" \
--url \
--port 443 --lport 3030

The lport flag allows you to use your preferred local host port to proxy traffic to and from the enclave. From here we can send and receive traffic via localhost:3030 as if the enclave service was running on the local machine.