Developer Documentation

Nova Enclave Capsule

Build, package, and deploy trusted Nitro Enclave applications without the raw infrastructure headache.

Nova Enclave Capsule is an open-source toolkit that abstracts the complexity of AWS Nitro Enclaves. It provides a high-level runtime surface for attestation, secure networking, and key management—letting you focus on shipping value instead of operations.

Get Started View on GitHub

From TEE Integration to Product Workflow

Traditional enclave projects often stall at the "integration" phase. Capsule turns Nitro Enclaves into a predictable product workflow.

The Integration Project (Old Way)

Handling raw vsock & CID complexity
Building custom proxy layers
Integrating hardware-specific SDKs
Fragile time-sync & log plumbing

                    The Capsule Workflow (New Way)
                    ✓ Standard Docker-based builds
✓ Zero-config Ingress/Egress proxies
✓ High-level RESTful Capsule APIs
✓ Stable, supervised runtime environment

                

Architecture & Modules

Capsule is built as a layered system to ensure security, isolation, and developer productivity.

Host Side

Capsule CLI & Shell

The CLI builds your Docker app into an EIF (Enclave Image Format). The Shell acts as the entrypoint in your host container, wrapping nitro-cli to launch the enclave securely.

Enclave Side

Capsule Runtime

The core supervisor running inside the enclave. It manages the app lifecycle, handles networking (ingress/egress), synchronizes the clock, and exposes the Capsule API.

Standard Capsule Manifest (capsule.yaml)

version: "v1"
run:
  ingress:
    - port: 8080
      target: 8080 # App port inside enclave
  egress:
    allow: ["api.openai.com", "eth-mainnet.alchemy.com"]
  mounts:
    - path: "/data"
      source: "hostfs"

Core Features

🌐

Ingress & Egress Control

Securely route traffic into your app and whitelist outbound HTTP/HTTPS destinations. No raw proxy setup required.

📁

Host-backed Mounts

Expose host directories inside the enclave as normal filesystem paths using our transparent hostfs proxy.

⏰

Clock Sync

Keeps the enclave wall clock accurately aligned with the host—critical for TLS and time-sensitive signing.

📜

Runtime Supervision

Streams app logs to the host console and monitors exit status for robust production reliability.

The Capsule API Suite

We provide a unified API surface at localhost so your app never has to touch low-level Nitro SDKs.

Attestation & Randomness

Fetch signed attestation documents (Enclave Identity) and high-entropy random seeds via simple HTTP calls.

KMS & Wallet Integration

Securely derive keys and sign transactions using Nova KMS-backed identities. Supports Ethereum (secp256k1) and P-384 ECDH encryption.

S3-Backed Storage

Encrypted object storage flows that link your enclave identity directly to cloud storage buckets.

Business Use Cases

What can you ship?

Private AI Backends

Protect prompts, user context, and model parameters inside a verifiable boundary.

Risk & Policy Engines

Run scoring and fraud detection logic that is verifiable and tamper-proof.

Signing Orchestration

Keep sensitive signing flows closer to the edge with hardware-backed security.

Developer Guide

Start from a template, develop locally with a mock service, and deploy to Nitro when ready.

01

Bootstrap

Use nova-app-template to get a ready-to-go Express server and Capsule configuration.

02

Explore Examples

Check nova-app-examples for real-world patterns like secure fetchers and wallet integrations.

03

Build & Launch

Run capsule-cli build to generate your EIF and launch it on your local Nitro-enabled EC2 instance.