### Build Twitter Example Enclave Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Navigates to the nautilus directory and builds the Twitter example enclave using make. This command also generates the `nitro.pcrs` file. ```bash cd nautilus/ make ENCLAVE_APP=twitter-example ``` -------------------------------- ### Sui Client Setup for Enclave Registration Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Commands to set up the Sui client for on-chain registration, including switching networks and requesting gas. These are optional but recommended steps. ```shell # optionally sui client switch --env testnet # or appropriate network sui client gas # request gas from faucet.sui.io if needed ``` -------------------------------- ### Set Twitter Example Environment Variables Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Sets environment variables for the Twitter example, including PCR values, module names, package IDs, capability object ID, enclave config object ID, and enclave URL. Replace placeholder values with your actual registered enclave details and public IP. ```bash PCR0=18ae33028ded7643ab797342ec47b74f0efc7a690f7cb848db580e8851279fc4a4ef35816c51e8382aa358ef8e94781d PCR1=18ae33028ded7643ab797342ec47b74f0efc7a690f7cb848db580e8851279fc4a4ef35816c51e8382aa358ef8e94781d PCR2=21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a MODULE_NAME=twitter OTW_NAME=TWITTER # replace with your registered enclave ENCLAVE_PACKAGE_ID=0xcca410b231d0acfa92c7709d490ab2f15fb5619be719ee0786099ffc3f6c9ab8 APP_PACKAGE_ID=0x652875162b566bb04187c76f93215e56c28aa05487393056279e331598ba4978 CAP_OBJECT_ID=0x44f3b57aa3870762ad334424cccb7f4c785cac007baab7e987c6d6a43c6aa100 ENCLAVE_CONFIG_OBJECT_ID=0xe33641a2dae5eb4acad3859e603ec4e25641af05f837c85058645c7d8d9d831a ENCLAVE_OBJECT_ID=0x53db077721140910697668f9b2ee80fbecd104ac076d60fc1fb49ae57cd96c0d # replace with your own enclave IP ENCLAVE_URL=http://:3000 ``` -------------------------------- ### Run Nautilus Server Locally Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Use this command to run the Nautilus server locally with the weather example. Ensure RUST_LOG is set to debug for detailed logs. The API_KEY is a placeholder and should be a valid key. ```shell cd src/nautilus-server/ RUST_LOG=debug API_KEY=045a27812dbe456392913223221306 cargo run --features=weather-example --bin nautilus-server ``` -------------------------------- ### Reset Enclave Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Execute this script to reset the enclave. This is typically done before repeating setup steps. ```shell cd nautilus/ sh reset_enclave.sh ``` -------------------------------- ### Configure Enclave Environment Variables Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Set environment variables for AWS credentials and the application name before running the configuration script. Ensure your AWS account is set up and the CLI is installed. ```shell export KEY_PAIR= export AWS_ACCESS_KEY_ID= export AWS_SECRET_ACCESS_KEY= export AWS_SESSION_TOKEN= sh configure_enclave.sh # e.g. `sh configure_enclave.sh weather-example` ``` -------------------------------- ### Get Attestation Endpoint Source: https://context7.com/mystenlabs/nautilus/llms.txt Returns an AWS Nitro Enclave attestation document committed to the enclave's ephemeral public key. ```APIDOC ## GET /get_attestation ### Description Returns an AWS Nitro Enclave attestation document committed to the enclave's ephemeral public key, serialized as a Hex string. This document is used during on-chain registration to prove that a specific binary (identified by its PCR values) generated the key pair. This endpoint requires the NSM driver and only works inside a running enclave. ### Method GET ### Endpoint /get_attestation ### Request Example ```bash curl -H 'Content-Type: application/json' -X GET http://:3000/get_attestation ``` ### Response #### Success Response (200) - **attestation** (string) - The Hex-serialized attestation document. #### Response Example ```json { "attestation": "8444a1013822a0591120a9696d6f64756c655f69..." } ``` ``` -------------------------------- ### Build and Run Enclave Application Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Navigate to the Nautilus directory, build the enclave image using 'make ENCLAVE_APP', run the enclave with 'make run', and expose the HTTP endpoint using 'expose_enclave.sh'. ```shell cd nautilus/ make ENCLAVE_APP= # this builds the enclave, e.g. `make ENCLAVE_APP=weather-example` make run # run the enclave sh expose_enclave.sh # this exposes port 3000 to the Internet for traffic ``` -------------------------------- ### Build, Run, and Expose Enclave Source: https://github.com/mystenlabs/nautilus/blob/main/src/nautilus-server/src/apps/seal-example/README.md Build the enclave application, run it, and expose it via a network interface. This step requires configuring the EC2 instance and updating the seal_config.yaml. ```shell # update seal_config.yaml with APP_PACKAGE_ID inside the enclave # configure ec2 instance for enclave, see main guide for more details: UsingNautilus.md # ssh in the ec2 instance containing the repo on configured diff: docker build, run and expose make ENCLAVE_APP=seal-example && make run && sh expose_enclave.sh ``` -------------------------------- ### Build and Run Enclave with Makefile Source: https://context7.com/mystenlabs/nautilus/llms.txt Makefile targets for building the Rust server into an EIF binary using a reproducible Docker-based build, producing deterministic PCR values. Includes options for production and debug runs, exposing ports, and resetting the enclave. ```bash # SSH into the EC2 instance and clone the repository cd nautilus/ # Build the enclave image (produces out/nautilus.eif and out/nitro.pcrs) make ENCLAVE_APP=weather-example # Run the enclave in production mode (PCRs are valid) make run # Run in debug mode (all PCRs will be zeros — not for production) make run-debug # Expose port 3000 to the internet sh expose_enclave.sh # Reset and restart the enclave if needed sh reset_enclave.sh make ENCLAVE_APP=weather-example make run sh expose_enclave.sh ``` -------------------------------- ### Publish Enclave and Seal-Policy Packages Source: https://github.com/mystenlabs/nautilus/blob/main/src/nautilus-server/src/apps/seal-example/README.md Build and publish the enclave and seal-policy Move packages. Ensure to capture the output package IDs for subsequent steps. ```shell # publish the enclave package cd move/enclave sui move build && sui client publish # find this in output and set env var ENCLAVE_PACKAGE_ID=0x8ecf22e78c90c3e32833d76d82415d7e4227ea370bec4efdad4c4830cbda9e49 # publish the seal-policy app package cd ../seal-policy sui move build && sui client publish # find these in output and set env vars CAP_OBJECT_ID=0xbd6ad872040eddc08f20ff11e20a3dc030c3e30f4ab2303a0c42447006724262 ENCLAVE_CONFIG_OBJECT_ID=0x3ee612ffc17f29280b8479c36a1096a339e38c353a7662baa559ba4d879dd4de APP_PACKAGE_ID=0x7f0171b76f82cd61ebb4ac3fd502deac6552e9becd38be28d5692b69b5fdb54e ``` -------------------------------- ### Deploy Dapp Logic with Sui Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Build and publish your Dapp's Move package. This step requires setting environment variables for CAP_OBJECT_ID, ENCLAVE_CONFIG_OBJECT_ID, and APP_PACKAGE_ID from the publish output. ```shell # deploy your dapp logic cd ../ sui move build sui client publish ``` -------------------------------- ### Deploy Enclave Package with Sui Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Build and publish the enclave Move package to the Sui network. The output will provide the ENCLAVE_PACKAGE_ID needed for subsequent steps. ```shell # deploy the enclave package cd move/enclave sui move build sui client publish ``` -------------------------------- ### Set Environment Variables for Registration Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Populate necessary environment variables before registering the enclave. This includes package IDs, PCR values, and the enclave URL. ```shell # record ENCLAVE_PACKAGE_ID as env var from publish output ENCLAVE_PACKAGE_ID=0x3b009f952e11f0fa0612d0a8e07461fb69edc355d732e5d6e39267b1b4fd7138 # record CAP_OBJECT_ID (owned object of type Cap), ENCLAVE_CONFIG_OBJECT_ID (shared object), APP_PACKAGE_ID (package containing weather module) as env var from publish output CAP_OBJECT_ID=0xb232d20245ba2d624d1c1628c4fc062bd1d3249601385476d9736fc60c897d2b ENCLAVE_CONFIG_OBJECT_ID=0x9a50017ab37090ef4b5704eb24201c88b2e4bbad2aad1d4e69ecf1bdfbae9ccb APP_PACKAGE_ID=0x097b551dec72f0c47e32e5f8114d0d12a98ab31762d21adff295f6d95d353154 # record the deployed enclave url, e.g. http://:3000 ENCLAVE_URL= # the module name and otw name used to create the dapp, defined in your Move code `fun init` MODULE_NAME=weather OTW_NAME=WEATHER # make sure all env vars are populated echo $APP_PACKAGE_ID echo $ENCLAVE_PACKAGE_ID echo $CAP_OBJECT_ID echo $ENCLAVE_CONFIG_OBJECT_ID echo 0x$PCR0 echo 0x$PCR1 echo 0x$PCR2 echo $MODULE_NAME echo $OTW_NAME echo $ENCLAVE_URL ``` -------------------------------- ### Fetch Seal Keys using CLI Source: https://context7.com/mystenlabs/nautilus/llms.txt Fetches Seal keys using the `seal-cli` tool. Requires a fetch key request and specifies network and other parameters. ```bash cargo run --bin seal-cli fetch-keys \ --request \ -k 0x73d05d62c18d9374e3ea529e8e0ed6161da1a141a94d3f76ae3fe4e99356db75,0xf5d14a81a982144ae441cd7d64b09027f116a468bd36e7eca494f750591623c8 \ -t 2 -n testnet ``` -------------------------------- ### Build Nautilus Enclave Locally Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Build the Nautilus enclave locally to ensure reproducible builds. This command uses 'make' and specifies the enclave application to build. ```shell cd nautilus/ make ENCLAVE_APP=weather-example ``` -------------------------------- ### Move: Create EnclaveConfig Source: https://context7.com/mystenlabs/nautilus/llms.txt Creates a shared EnclaveConfig on-chain to store expected PCR values for an enclave binary. Uses a one-time witness for distinct application configs and a Cap object for updating PCRs and registering enclaves. ```move module app::weather { use enclave::enclave::{Self}; public struct WEATHER has drop {} fun init(otw: WEATHER, ctx: &mut TxContext) { // Create capability for this dapp let cap = enclave::new_cap(otw, ctx); // Create shared EnclaveConfig with initial (placeholder) PCRs cap.create_enclave_config( b"weather enclave".to_string(), x"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", // pcr0 x"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", // pcr1 x"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", // pcr2 ctx, ); transfer::public_transfer(cap, ctx.sender()); } } ``` -------------------------------- ### Use the Enclave Service Source: https://github.com/mystenlabs/nautilus/blob/main/src/nautilus-server/src/apps/seal-example/README.md Once the enclave server is fully functional, it can process data. Replace `` with the actual public IP address of the enclave. ```bash curl -H 'Content-Type: application/json' -d '{"payload": { "location": "San Francisco"}}' -X POST http://:3000/process_data ``` ```json {"response":{"intent":0,"timestamp_ms":1755805500000,"data":{"location":"San Francisco","temperature":18}},"signature":"4587c11eafe8e78c766c745c9f89b3bb7fd1a914d6381921e8d7d9822ddc9556966932df1c037e23bedc21f369f6edc66c1b8af019778eb6b1ec1ee7f324e801"} ``` -------------------------------- ### Initialize Seal Key Load Request Source: https://github.com/mystenlabs/nautilus/blob/main/src/nautilus-server/src/apps/seal-example/README.md Initiates the key load process by sending a request to the enclave. This step requires the enclave object ID and its initial shared version. The response contains an encoded request to be used in the next step. ```bash # use ENCLAVE_OBJECT_ID and ENCLAVE_OBJ_VERSION from step 0 curl -X POST http://localhost:3001/admin/init_seal_key_load \ -H 'Content-Type: application/json' \ -d '{"enclave_object_id": "'$ENCLAVE_OBJECT_ID'", "initial_shared_version": '$ENCLAVE_OBJ_VERSION'}' # Expected response: {"encoded_request":""} ``` -------------------------------- ### Register Enclave On-Chain Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Calls the `get_attestation` endpoint from your enclave URL and uses it to call `register_enclave` on-chain to register the public key. This results in the creation of the enclave object. ```bash sh ../../register_enclave.sh $ENCLAVE_PACKAGE_ID $APP_PACKAGE_ID $ENCLAVE_CONFIG_OBJECT_ID $ENCLAVE_URL $MODULE_NAME $OTW_NAME ``` -------------------------------- ### Configure Enclave with AWS Credentials Source: https://context7.com/mystenlabs/nautilus/llms.txt Shell script to provision an AWS EC2 instance, build the Rust application into an EIF, and configure HTTP traffic forwarding. Optionally stores API secrets in AWS Secrets Manager. Requires setting AWS credentials and potentially a custom region and AMI ID. ```bash # Set AWS credentials export KEY_PAIR=my-key-pair export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY export AWS_SESSION_TOKEN=AQoDYXdzEJr... # Configure enclave for the weather example sh configure_enclave.sh weather-example # Interactive prompts: # Enter EC2 instance base name: weather # Do you want to use a secret? (y/n): y # Do you want to create a new secret or use an existing secret ARN? (new/existing): new # Enter secret name: weather-api-key # Enter secret value: 045a27812dbe456392913223221306 # For a custom region: export REGION=eu-west-1 export AMI_ID=ami-0abc123def456789 # Amazon Linux AMI for your region sh configure_enclave.sh weather-example # View all options: sh configure_enclave.sh -h ``` -------------------------------- ### Provision Weather API Key Source: https://github.com/mystenlabs/nautilus/blob/main/src/nautilus-server/src/apps/seal-example/README.md Provision the weather API key to the enclave. This endpoint is application-specific and can be modified or extended as needed. Repeat Step 1 to encrypt other data using ID value 0 and provision them to the enclave with an endpoint. ```bash curl -X POST http://localhost:3001/admin/provision_weather_api_key \ -H "Content-Type: application/json" \ -d '{ "encrypted_object": "" }' ``` ```json {"status":"OK"} ``` -------------------------------- ### Attempt to Process Data Without API Key Source: https://github.com/mystenlabs/nautilus/blob/main/src/nautilus-server/src/apps/seal-example/README.md This command demonstrates an attempt to process data before the API key is initialized. It will result in an error indicating that the API key is not initialized. ```bash curl -H 'Content-Type: application/json' -d '{"payload": { "location": "San Francisco"}}' -X POST http://:3000/process_data {"error":"API key not initialized. Please complete key load first."} ``` -------------------------------- ### Nautilus Server Run Script Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md The run.sh script is used to execute the Rust server within the enclave after setting up domains and the traffic forwarder. This script should not be modified. ```shell run.sh Runs the Rust server inside the enclave after configuring domains and the traffic forwarder. Do not modify. ``` -------------------------------- ### Initialize Seal Key Load Source: https://context7.com/mystenlabs/nautilus/llms.txt Initializes the key load process for Seal encryption. This command is run on the EC2 host and communicates with the enclave via port 3001, providing the enclave object ID and initial shared version. This is the second step in the Seal-Nautilus pattern. ```bash # Step 2: Initialize key load (run on EC2 host, communicates to enclave via port 3001) curl -X POST http://localhost:3001/admin/init_seal_key_load \ -H 'Content-Type: application/json' \ -d '{"enclave_object_id": "'$ENCLAVE_OBJECT_ID'", "initial_shared_version": '$ENCLAVE_OBJ_VERSION'}' # Output: {"encoded_request":""} ``` -------------------------------- ### Process Data with Customizable Off-Chain Logic Source: https://context7.com/mystenlabs/nautilus/llms.txt This is the customizable computation endpoint. It accepts a JSON payload, executes off-chain logic (like fetching external data), and returns a BCS-serialized `IntentMessage` signed with the enclave's ephemeral Ed25519 key. The signature and payload can be submitted on-chain for verification. Replace the weather logic with your own application-specific computation. ```bash # Weather example: fetch current temperature for a location curl -H 'Content-Type: application/json' \ -d '{"payload": {"location": "San Francisco"}}' \ -X POST http://:3000/process_data ``` ```json { "response": { "intent": 0, "timestamp_ms": 1744683300000, "data": { "location": "San Francisco", "temperature": 13 } }, "signature": "77b6d8be225440d00f3d6eb52e91076a8927cebfb520e58c19daf31ecf06b3798ec3d3ce9630a9eceee46d24f057794a60dd781657cb06d952269cfc5ae19500" } ``` ```bash # Test locally (no NSM driver needed for process_data): cd src/nautilus-server/ RUST_LOG=debug API_KEY=045a27812dbe456392913223221306 \ cargo run --features=weather-example --bin nautilus-server ``` -------------------------------- ### Request Weather Data from Enclave Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Send a POST request to the enclave to retrieve weather data for a specific location. Ensure the public IP and port are correctly configured. ```shell curl -H 'Content-Type: application/json' -d '{"payload": { "location": "San Francisco"}}' -X POST http://:3000/process_data {"response":{"intent":0,"timestamp_ms":1744683300000,"data":{"location":"San Francisco","temperature":13}},"signature":"77b6d8be225440d00f3d6eb52e91076a8927cebfb520e58c19daf31ecf06b3798ec3d3ce9630a9eceee46d24f057794a60dd781657cb06d952269cfc5ae19500"} ``` -------------------------------- ### Fetch Keys from Seal Servers Source: https://github.com/mystenlabs/nautilus/blob/main/src/nautilus-server/src/apps/seal-example/README.md Fetches encrypted key shares from seal servers using the encoded request obtained from the previous step. This command requires the request, key server IDs, threshold, and network. The output is an encoded list of seal responses. ```bash # in seal repo cargo run --bin seal-cli fetch-keys --request \ -k 0x73d05d62c18d9374e3ea529e8e0ed6161da1a141a94d3f76ae3fe4e99356db75,0xf5d14a81a982144ae441cd7d64b09027f116a468bd36e7eca494f750591623c8 \ -t 2 \ -n testnet Encoded seal responses: ``` -------------------------------- ### Allowed Endpoints Configuration Source: https://context7.com/mystenlabs/nautilus/llms.txt YAML configuration file declaring external HTTPS domains the enclave can contact. Changes require re-running `configure_enclave.sh`. ```yaml endpoints: - api.weatherapi.com # WeatherAPI for current conditions # For the Twitter example: # endpoints: # - api.twitter.com # For Seal-enabled enclaves, add the Seal key server domain: # endpoints: # - api.weatherapi.com # - seal.walrus.xyz ``` -------------------------------- ### Check Enclave Health and Connectivity Source: https://context7.com/mystenlabs/nautilus/llms.txt Use this endpoint to probe external domains and retrieve the enclave's current ephemeral public key and connectivity status for each configured domain. This endpoint is pre-built and requires no modification. ```bash curl -H 'Content-Type: application/json' -X GET http://:3000/health_check ``` ```json { "pk": "f343dae1df7f2c4676612368e40bf42878e522349e4135c2caa52bc79f0fc6e2", "endpoints_status": { "api.weatherapi.com": true } } ``` -------------------------------- ### Nautilus Server Structure Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Overview of the directory structure for a Nautilus application, including Move modules for onchain logic and Rust for offchain enclave logic. ```shell /move /enclave Utility functions for generating enclave config and registering the public key with an attestation document. /weather-example Entry point for onchain logic as an example, which uses enclave functions to run your Nautilus application logic. /twitter-example Entry point for onchain logic as another example, which uses enclave functions to run your Nautilus application logic. /src /nautilus-server Nautilus server that runs inside the enclave. /src /apps /weather-example Example directory — replace with your own application logic as needed. mod.rs The process_data endpoints and related artifacts to fetch weather data. Replace this with your offchain computation logic. allowed_endpoints.yaml This file lists all endpoints the enclave is allowed to access. By default, the enclave has no internet access unless the parent EC2 instance explicitly forwards traffic. During the configuration step, this file is used to generate the necessary code to enable limited traffic forwarding from the enclave. /twitter-example Another example directory with similar parts as for above example. mod.rs allowed_endpoints.yaml /seal-example Another example directory with similar parts as for above example. This is an example to use Seal and Nautilus pattern, see more details in src/nautilus-server/src/apps/seal-example/README.md. mod.rs allowed_endpoints.yaml run.sh Runs the Rust server inside the enclave after configuring domains and the traffic forwarder. Do not modify. common.rs Common code for retrieving attestation. Do not modify. ``` -------------------------------- ### Process Data via Enclave API Source: https://context7.com/mystenlabs/nautilus/llms.txt Sends data to the enclave for processing via a POST request to the `/process_data` endpoint. The enclave's public IP address must be specified. ```bash curl -H 'Content-Type: application/json' \ -d '{"payload": {"location": "San Francisco"}}' \ -X POST http://:3000/process_data ``` -------------------------------- ### Encrypt Secret with Seal CLI Source: https://context7.com/mystenlabs/nautilus/llms.txt Encrypts a secret using the Seal CLI. Requires the secret value, an ID, the application package ID, type, and a comma-separated list of keys. This is the first step in the Seal-Nautilus pattern for encrypted secret provisioning. ```bash # Step 1: Encrypt a secret using the Seal CLI (run from the Seal repo) APP_PACKAGE_ID=0x2080f9c370ddb22c48d6377f8aa64883c3a1c61d3febbcc18b6bf70553ae45a0 cargo run --bin seal-cli encrypt \ --secret 303435613237383132646265343536333932393133323233323231333036 \ --id 0x00 \ -p $APP_PACKAGE_ID \ -t 2 \ -k 0x73d05d62c18d9374e3ea529e8e0ed6161da1a141a94d3f76ae3fe4e99356db75,0xf5d14a81a982144ae441cd7d64b09027f116a468bd36e7eca494f750591623c8 \ -n testnet # Output: ``` -------------------------------- ### Move: Update PCRs Source: https://context7.com/mystenlabs/nautilus/llms.txt Updates PCR values in an EnclaveConfig after enclave binary build. Requires Cap capability and increments config version. Obtain PCR values using `make ENCLAVE_APP= && cat out/nitro.pcrs`. ```bash # Build enclave and retrieve PCR values cd nautilus/ make ENCLAVE_APP=weather-example cat out/nitro.pcrs # PCR0=14245f411c034ca453c7afcc666007919ca618da943e5a78823819e9bcee2084c4d9f582a3d4c99beb80ad1c3ea290f7 # PCR1=14245f411c034ca453c7afcc666007919ca618da943e5a78823819e9bcee2084c4d9f582a3d4c99beb80ad1c3ea290f7 # PCR2=21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a # Update PCRs on-chain via Sui CLI sui client call \ --function update_pcrs \ --module enclave \ --package $ENCLAVE_PACKAGE_ID \ --type-args "$APP_PACKAGE_ID::weather::WEATHER" \ --args $ENCLAVE_CONFIG_OBJECT_ID $CAP_OBJECT_ID \ 0x14245f411c034ca453c7afcc666007919ca618da943e5a78823819e9bcee2084c4d9f582a3d4c99beb80ad1c3ea290f7 \ 0x14245f411c034ca453c7afcc666007919ca618da943e5a78823819e9bcee2084c4d9f582a3d4c99beb80ad1c3ea290f7 \ 0x21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a ``` -------------------------------- ### Complete Key Load via API Source: https://context7.com/mystenlabs/nautilus/llms.txt Completes the key load process by sending encoded Seal responses to the enclave's admin endpoint. This is typically run on the EC2 host. ```bash curl -X POST http://localhost:3001/admin/complete_seal_key_load \ -H "Content-Type: application/json" \ -d '{"seal_responses": ""}' ``` -------------------------------- ### Register Enclave On-Chain Source: https://github.com/mystenlabs/nautilus/blob/main/src/nautilus-server/src/apps/seal-example/README.md Register the enclave on the blockchain by executing the `register_enclave.sh` script with all the necessary parameters, including package IDs, enclave URL, and module names. ```shell # register the enclave onchain sh register_enclave.sh $ENCLAVE_PACKAGE_ID $APP_PACKAGE_ID $ENCLAVE_CONFIG_OBJECT_ID $ENCLAVE_URL $MODULE_NAME $OTW_NAME ``` -------------------------------- ### Test Process Data Endpoint Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Send a POST request to the /process_data endpoint with a JSON payload to test the server's data processing capabilities. The response includes the processed data and a signature. ```shell curl -H 'Content-Type: application/json' -d '{"payload": { "location": "San Francisco"}}' -X POST http://localhost:3000/process_data ``` ```json {"response":{"intent":0,"timestamp_ms":1744041600000,"data":{"location":"San Francisco","temperature":13}},"signature":"b75d2d44c4a6b3c676fe087465c0e85206b101e21be6cda4c9ab2fd4ba5c0d8c623bf0166e274c5491a66001d254ce4c8c345b78411fdee7225111960cff250a"} ``` -------------------------------- ### Provision Encrypted API Key to Enclave Source: https://context7.com/mystenlabs/nautilus/llms.txt Provisions an encrypted API key to the enclave using a POST request to the admin endpoint. Requires the encrypted object to be provided in the request body. ```bash curl -X POST http://localhost:3001/admin/provision_weather_api_key \ -H "Content-Type: application/json" \ -d '{"encrypted_object": ""}' ``` -------------------------------- ### Display Nitro PCRs Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Displays the contents of the `nitro.pcrs` file, which contains the Platform Configuration Registers (PCRs) for the enclave. ```bash cat out/nitro.pcrs ``` -------------------------------- ### Update Move Contract with Weather Data Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Call the `update_weather` function in the Move contract using the data obtained from the enclave. This script requires several environment variables and parameters. ```shell sh ../../update_weather.sh \ $APP_PACKAGE_ID \ $MODULE_NAME \ $OTW_NAME \ $ENCLAVE_OBJECT_ID \ "77b6d8be225440d00f3d6eb52e91076a8927cebfb520e58c19daf31ecf06b3798ec3d3ce9630a9eceee46d24f057794a60dd781657cb06d952269cfc5ae19500" \ 1744683300000 \ "San Francisco" \ 13 ``` -------------------------------- ### Bash: Register Enclave Source: https://context7.com/mystenlabs/nautilus/llms.txt Verifies an AWS Nitro attestation document against EnclaveConfig PCRs and extracts the enclave's public key. Creates a shared Enclave object if PCRs match. This script should be repeated when the server code changes. ```bash # Fetch attestation from the running enclave and register it on-chain sh register_enclave.sh \ $ENCLAVE_PACKAGE_ID \ $APP_PACKAGE_ID \ $ENCLAVE_CONFIG_OBJECT_ID \ $ENCLAVE_URL \ weather \ WEATHER # On success, a shared Enclave object is created: # ENCLAVE_OBJECT_ID=0x1c9ccfc0f391f5e679e1f9f7d53c7fa455bf977e0f6dc71222990401f359c42a # Move equivalent (called internally by the script): ``` -------------------------------- ### Rust: Sign BCS-serialized IntentMessage Source: https://context7.com/mystenlabs/nautilus/llms.txt Signs a BCS-serialized IntentMessage using an enclave's Ed25519 key. Wraps data with intent scope and timestamp, serializes using BCS, and returns a signature and the processed data. Ensure BCS layout matches Move-side deserialization. ```rust use crate::common::{to_signed_response, IntentMessage}; use fastcrypto::{ed25519::Ed25519KeyPair, traits::KeyPair}; #[derive(Serialize, Deserialize, Clone)] pub struct WeatherResponse { pub location: String, pub temperature: u64, } // Inside your process_data handler: let response = to_signed_response( &state.eph_kp, // Ed25519KeyPair from AppState WeatherResponse { location: "San Francisco".to_string(), temperature: 13, }, 1744683300000u64, // timestamp_ms 0u8, // intent scope byte ); // response.signature == Hex-encoded Ed25519 signature // response.response == IntentMessage { intent: 0, timestamp_ms: ..., data: WeatherResponse } // BCS serialization test (must match Move side): let intent_msg = IntentMessage::new(payload, 1744038900000, 0u8); let bytes = bcs::to_bytes(&intent_msg).unwrap(); assert_eq!( bytes, hex::decode("0020b1d110960100000d53616e204672616e636973636f0d00000000000000").unwrap() ); ``` -------------------------------- ### View Enclave PCRs Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Display the Platform Configuration Registers (PCRs) for the built enclave. These values are crucial for on-chain registration. ```shell cat out/nitro.pcrs ``` ```text PCR0=14245f411c034ca453c7afcc666007919ca618da943e5a78823819e9bcee2084c4d9f582a3d4c99beb80ad1c3ea290f7 PCR1=14245f411c034ca453c7afcc666007919ca618da943e5a78823819e9bcee2084c4d9f582a3d4c99beb80ad1c3ea290f7 PCR2=21b9efbc184807662e966d34f390821309eeac6802309798826296bf3e8bec7c10edb30948c90ba67310f7b964fc500a ``` -------------------------------- ### Configure Region and AMI ID for Enclave Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md If your AWS account is not in us-east-1, specify your region and find a suitable Amazon Linux AMI ID for your region. Refer to AWS documentation for details. ```shell export REGION= export AMI_ID= ``` -------------------------------- ### Interact with Enclave Endpoints Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Use curl commands to interact with the enclave's health check, attestation, and data processing endpoints. Replace with the actual public IP address of your instance. ```shell curl -H 'Content-Type: application/json' -X GET http://:3000/health_check ``` ```shell curl -H 'Content-Type: application/json' -X GET http://:3000/get_attestation ``` ```shell curl -H 'Content-Type: application/json' -d '{"payload": { "location": "San Francisco"}}' -X POST http://:3000/process_data ``` -------------------------------- ### Retrieve Enclave Attestation Document Source: https://context7.com/mystenlabs/nautilus/llms.txt This endpoint returns an AWS Nitro Enclave attestation document, which is committed to the enclave's ephemeral public key and serialized as a Hex string. It's crucial for on-chain registration to prove that a specific binary generated the key pair. This endpoint requires the NSM driver and only functions within a running enclave. ```bash curl -H 'Content-Type: application/json' -X GET http://:3000/get_attestation ``` ```json { "attestation": "8444a1013822a0591120a9696d6f64756c655f69..." } ``` -------------------------------- ### Update PCRs and Register Enclave Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Reuses the steps outlined previously to update PCRs or register the enclave again. This is necessary if the Nautilus server code has been modified. ```bash # To update the PCRs or register the enclave again, reuse the steps outlined in the section above. ``` -------------------------------- ### Submit Enclave Response On-Chain Source: https://context7.com/mystenlabs/nautilus/llms.txt Shell script to submit an enclave response to the blockchain. Requires application package ID, enclave object ID, signature, timestamp, location, and temperature. ```bash # Submit enclave response on-chain via script sh update_weather.sh \ $APP_PACKAGE_ID \ weather \ WEATHER \ $ENCLAVE_OBJECT_ID \ "77b6d8be225440d00f3d6eb52e91076a8927cebfb520e58c19daf31ecf06b3798ec3d3ce9630a9eceee46d24f057794a60dd781657cb06d952269cfc5ae19500" \ 1744683300000 \ "San Francisco" \ 13 ``` -------------------------------- ### Process Data Endpoint Source: https://context7.com/mystenlabs/nautilus/llms.txt Performs customizable off-chain computation and returns a signed IntentMessage. ```APIDOC ## POST /process_data ### Description The customizable computation endpoint. Accepts a JSON payload, performs off-chain logic (e.g., fetching external data), and returns a BCS-serialized `IntentMessage` signed with the enclave's ephemeral Ed25519 key. The signature and payload can be submitted on-chain for verification. Replace the weather logic with your own application-specific computation. ### Method POST ### Endpoint /process_data ### Parameters #### Request Body - **payload** (object) - Required - The input payload for the off-chain computation. The structure depends on the specific implementation (e.g., `{"location": "San Francisco"}`). ### Request Example ```bash # Weather example: fetch current temperature for a location curl -H 'Content-Type: application/json' \ -d '{"payload": {"location": "San Francisco"}}' \ -X POST http://:3000/process_data ``` ### Response #### Success Response (200) - **response** (object) - The result of the off-chain computation, including intent, timestamp, and data. - **signature** (string) - The Ed25519 signature of the IntentMessage. #### Response Example ```json { "response": { "intent": 0, "timestamp_ms": 1744683300000, "data": { "location": "San Francisco", "temperature": 13 } }, "signature": "77b6d8be225440d00f3d6eb52e91076a8927cebfb520e58c19daf31ecf06b3798ec3d3ce9630a9eceee46d24f057794a60dd781657cb06d952269cfc5ae19500" } ``` ``` -------------------------------- ### Verify AWS Nitro Enclaves Root Certificate Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Download the Sui-specific Nitro root certificate and the official AWS Nitro Enclaves root certificate. Verify their SHA256 hashes match to ensure trust. ```shell curl https://raw.githubusercontent.com/MystenLabs/sui/refs/heads/main/crates/sui-types/src/nitro_root_certificate.pem -o cert_sui.pem sha256sum cert_sui.pem curl https://aws-nitro-enclaves.amazonaws.com/AWS_NitroEnclaves_Root-G1.zip -o cert_aws.zip unzip cert_aws.zip sha256sum root.pem 6eb9688305e4bbca67f44b59c29a0661ae930f09b5945b5d1d9ae01125c8d6c0 # check it matches from the one downloaded from the Sui repo ``` -------------------------------- ### Nautilus Server Common Code Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md The common.rs file contains common code for retrieving attestation data within the Nautilus server. This file should not be modified. ```rust common.rs Common code for retrieving attestation. Do not modify. ``` -------------------------------- ### Provide Secret for Enclave Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md When prompted, enter values for the enclave's base name, whether to use a secret, and if creating a new secret, its name and value. This is used for sensitive information like API keys. ```shell Enter EC2 instance base name: weather # anything you like Do you want to use a secret? (y/n): y Do you want to create a new secret or use an existing secret ARN? (new/existing): new Enter secret name: weather-api-key # anything you like Enter secret value: 045a27812dbe456392913223221306 # this is an example api key, you can get your own at weatherapi.com ``` -------------------------------- ### Verify AWS Root Certificate Source: https://context7.com/mystenlabs/nautilus/llms.txt Compares the AWS Nitro root certificate bundled in the Sui repo with the official AWS-distributed certificate using SHA256 checksums. ```bash # Download the certificate stored in the Sui repo curl https://raw.githubusercontent.com/MystenLabs/sui/refs/heads/main/crates/sui-types/src/nitro_root_certificate.pem \ -o cert_sui.pem sha256sum cert_sui.pem # 6eb9688305e4bbca67f44b59c29a0661ae930f09b5945b5d1d9ae01125c8d6c0 # Download and verify against the official AWS certificate curl https://aws-nitro-enclaves.amazonaws.com/AWS_NitroEnclaves_Root-G1.zip -o cert_aws.zip unzip cert_aws.zip sha256sum root.pem # 6eb9688305e4bbca67f44b59c29a0661ae930f09b5945b5d1d9ae01125c8d6c0 ← must match ``` -------------------------------- ### Encrypt Secret with Seal CLI Source: https://github.com/mystenlabs/nautilus/blob/main/src/nautilus-server/src/apps/seal-example/README.md Encrypts a secret value using the Seal CLI. This command requires the application package ID, an identity, threshold, key server IDs, and the network. The output is an encrypted object used in a later step. ```bash # in seal repo # set package id from step 0 APP_PACKAGE_ID=0x2080f9c370ddb22c48d6377f8aa64883c3a1c61d3febbcc18b6bf70553ae45a0 cargo run --bin seal-cli encrypt --secret 303435613237383132646265343536333932393133323233323231333036 \ --id 0x00 \ -p $APP_PACKAGE_ID \ -t 2 \ -k 0x73d05d62c18d9374e3ea529e8e0ed6161da1a141a94d3f76ae3fe4e99356db75,0xf5d14a81a982144ae441cd7d64b09027f116a468bd36e7eca494f750591623c8 \ -n testnet Encrypted object: ``` -------------------------------- ### Complete Seal Key Load Source: https://github.com/mystenlabs/nautilus/blob/main/src/nautilus-server/src/apps/seal-example/README.md Completes the key load process by sending the encoded seal responses to the enclave. If successful, the enclave decrypts and caches the seal keys in memory, allowing it to process requests. ```bash curl -X POST http://localhost:3001/admin/complete_seal_key_load \ -H "Content-Type: application/json" \ -d '{ "seal_responses": "" }' # Expected response: {"status":"OK"} ``` -------------------------------- ### Set Enclave Object ID Environment Variable Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Records the created shared object `ENCLAVE_OBJECT_ID` as an environment variable from the registration output. ```bash ENCLAVE_OBJECT_ID=0x1c9ccfc0f391f5e679e1f9f7d53c7fa455bf977e0f6dc71222990401f359c42a ``` -------------------------------- ### Health Check Endpoint Source: https://context7.com/mystenlabs/nautilus/llms.txt Probes external domains and returns the enclave's ephemeral public key and connectivity status. ```APIDOC ## GET /health_check ### Description Probes all allowed external domains listed in `allowed_endpoints.yaml` and returns the enclave's current ephemeral public key along with the connectivity status for each configured domain. This endpoint is built into the template and requires no modification. ### Method GET ### Endpoint /health_check ### Request Example ```bash curl -H 'Content-Type: application/json' -X GET http://:3000/health_check ``` ### Response #### Success Response (200) - **pk** (string) - The enclave's ephemeral public key. - **endpoints_status** (object) - An object mapping domain names to their connectivity status (boolean). #### Response Example ```json { "pk": "f343dae1df7f2c4676612368e40bf42878e522349e4135c2caa52bc79f0fc6e2", "endpoints_status": { "api.weatherapi.com": true } } ``` ``` -------------------------------- ### Update PCRs On-Chain Source: https://github.com/mystenlabs/nautilus/blob/main/UsingNautilus.md Calls the `update_pcrs` function on-chain with the enclave capability and built PCRs. This can be reused to update PCRs if the Rust server code is updated. ```bash sui client call --function update_pcrs --module enclave --package $ENCLAVE_PACKAGE_ID --type-args "$APP_PACKAGE_ID::$MODULE_NAME::$OTW_NAME" --args $ENCLAVE_CONFIG_OBJECT_ID $CAP_OBJECT_ID 0x$PCR0 0x$PCR1 0x$PCR2 ```