Nova Enclave Capsule
Build enclave applications as a developer, not as a full-time Nitro operator.
The recommended path for most teams is to start on Nova Platform so you can focus on application code, deployment, and attestation without first owning EC2 host setup. If you want the self-hosted route, this docs site also covers the full Capsule workflow on your own Nitro-enabled parent instance.
Build your app as a Docker image, add a manifest, and run capsule-cli build.
Attestation, signing, encryption, Helios RPC, S3, Nova KMS, and app wallets — all on localhost.
Start with Nova Platform for the lightest path, or follow the self-hosted Nitro host setup if you need direct control.
Five Steps to a Running Enclave
If you are taking the self-hosted route, this is the shortest path from zero to a working enclave application.
Set up the Nitro host
Prepare an EC2 instance with Nitro Enclave support, allocate hugepages, and install Docker.
Install capsule-cli
Download the pre-built binary or build from source. Verify with capsule-cli --version.
Write capsule.yaml
Define your app source image, ingress ports, egress policy, API settings, and resource defaults.
Build the capsule image
Run capsule-cli build -f capsule.yaml to produce a self-contained enclave image with your app and the Capsule Runtime inside.
Run the enclave
Execute sudo capsule-cli run your-app:latest -p 8080:80 to launch on the Nitro host and start serving traffic.
What Capsule Provides
Everything your application needs inside the enclave, without writing Nitro-specific code.
Attestation
NSM-backed attestation documents with automatic Ethereum address injection.
Signing
Secp256k1 key management and EIP-1559 transaction signing inside the enclave.
Encryption
P-384 ECDH + AES-256-GCM end-to-end transport encryption between client and enclave.
Helios RPC
Trustless multi-chain light client — read on-chain state without trusting external RPCs.
S3 Storage
Persistent encrypted object storage with optional KMS-derived keys.
Nova KMS
Distributed key management and key-value storage inside the Nova trust surface.
App Wallet
Enclave-native wallet with persistent address, signing, and transaction support.
Host Mounts
Persistent host-backed directories with loopback filesystem and FUSE support.
Clock Sync
Automatic wall-clock synchronization with the parent EC2 instance.
Documentation Map
Use Nova Platform if you want the fastest developer path. Use these pages when you want to understand or self-manage the full Capsule workflow.
Why Capsule
Understand the problems Capsule solves compared to raw Nitro Enclaves and confidential VMs.
Architecture
Build-time, host-side, and enclave-side flow. Component distribution and traffic paths.
Getting Started
Install the CLI, prepare your Docker app, write the manifest, build and run.
App Template
Start from the official nova-app-template for the fastest path to a working enclave app.
Examples
Reference implementations from nova-app-examples and the included hn-fetcher sample.
Minimal Example
Smallest working manifest and build/run path for a developer validating the Capsule boundary.
Nitro Host Setup
Prepare the EC2 instance, allocate memory, configure hugepages, and verify the setup.
Clock Drift
Understand why long-lived enclaves drift and how Capsule keeps time-sensitive apps working.
capsule.yaml Reference
Complete manifest schema — sources, ingress, egress, API, storage, Helios, KMS, and more.
Capsule API Reference
Full HTTP API surface: attestation, signing, encryption, randomness, S3, KMS, and wallet.
CLI Reference
capsule-cli build and run commands, flags, port mappings, and mount bindings.
Recommended reading order
Fastest path: Nova Platform → app template → examples.
Self-hosted path: Nitro Host Setup → Getting Started → capsule.yaml → Minimal Example.