PrivasysDeploy Enclave OS
Build and deploy Enclave OS (Mini) on SGX hardware: prerequisites, building, provisioning, and running.
If you want a managed deployment experience instead, the Developer Platform handles hardware allocation, builds, and attestation for you. See Getting Started.
This guide walks you through building Enclave OS from source and deploying it on Intel SGX hardware.
Repository: github.com/Privasys/enclave-os-mini
Prerequisites
Host machine (build + run)
| Dependency | Purpose | Install |
|---|---|---|
| Rust nightly-2025-12-01 | Enclave compilation | rustup install nightly-2025-12-01 |
rust-src component | SGX sysroot build | rustup component add rust-src --toolchain nightly-2025-12-01 |
| Intel SGX SDK 2.25 | sgx_edger8r, sgx_sign, runtime libs | Intel SGX SDK |
| Intel SGX PSW | AESM service (quoting) | apt install sgx-aesm-service libsgx-dcap-ql |
| CMake 3.20+ | Build system | apt install cmake |
| GCC / build-essential | C compiler (EDL glue, RocksDB) | apt install build-essential |
| pkg-config | Library discovery | apt install pkg-config |
WASM development (optional)
| Dependency | Purpose | Install |
|---|---|---|
| Rust stable 1.82+ | WASM app compilation | rustup update stable |
wasm32-wasip2 target | WASI Component Model | rustup target add wasm32-wasip2 |
| cargo-component | WIT-based WASM builds | cargo install cargo-component |
| Wasmtime CLI | AOT pre-compilation | cargo install wasmtime-cli |
Building the Enclave
Standard build (no WASM)
git clone https://github.com/Privasys/enclave-os-mini.git
cd enclave-os-mini
cmake -S . -B build -DCMAKE_BUILD_TYPE=Release
cmake --build build -j$(nproc)Outputs in build/bin/:
enclave-os-host: untrusted host binaryenclave.signed.so: signed SGX enclave
Build with WASM runtime
The WASM runtime requires a composition crate that combines the base enclave with the WASM module. The wasm-app-example repository provides one:
# Clone the composition crate
git clone https://github.com/Privasys/wasm-app-example.git
# Build enclave-os-mini with WASM enabled
cd enclave-os-mini
cmake -S . -B build -DCMAKE_BUILD_TYPE=Release \
-DENABLE_WASM=ON \
-DWASM_ENCLAVE_DIR=/path/to/wasm-app-example/enclave
cmake --build build -j$(nproc)The -DWASM_ENCLAVE_DIR flag is required when -DENABLE_WASM=ON; it points CMake at the composition crate that registers the WASM module.
Build options
| CMake flag | Default | Description |
|---|---|---|
CMAKE_BUILD_TYPE | Debug | Release for production (LTO, no debug symbols) |
ENABLE_WASM | OFF | Enable the WASM runtime module |
WASM_ENCLAVE_DIR | (none) | Path to the WASM composition crate (required when ENABLE_WASM=ON) |
Host-only build (development on Windows/macOS)
For local development without SGX hardware, build only the host crate in mock mode:
cargo build --manifest-path host/Cargo.tomlRunning tests
cargo test --workspaceRunning the Enclave
First run: provision CA material
On the first run, provide the intermediary CA certificate and private key so the enclave can seal them:
cd build/bin
./enclave-os-host \
--port 8443 \
--kv-path ./kvdata \
--ca-cert /path/to/intermediary-ca.crt \
--ca-key /path/to/intermediary-ca.key \
--egress-ca-bundle /etc/ssl/certs/ca-certificates.crt \
--debug| Flag | Required | Description |
|---|---|---|
--port | yes | TLS listen port |
--kv-path | yes | Directory for RocksDB encrypted KV store |
--ca-cert | first run | PEM or DER intermediary CA certificate |
--ca-key | first run | PEM or PKCS#8 CA private key (ECDSA P-256) |
--egress-ca-bundle | optional | Root CA bundle for HTTPS egress |
--debug | optional | Enable debug logging |
The enclave will:
- Generate an AES-256 master key via RDRAND
- Seal everything into a unified
SealedConfig(MRENCLAVE policy) - Store the sealed blob in the KV store
- Start the RA-TLS server
Subsequent restarts
The enclave automatically unseals the config, so no flags are needed beyond port and KV path:
./enclave-os-host \
--port 8443 \
--kv-path ./kvdataProviding --ca-cert or --ca-key on restart updates the sealed config (e.g. CA rotation). The master key is preserved.
Production deployment
For production, run the enclave behind a Layer 4 (TCP passthrough) proxy. The enclave terminates TLS internally, so the proxy must NOT terminate TLS.
See the Layer 4 Proxy Guide for Caddy (caddy-l4) and HAProxy configurations.
Loading WASM Apps
The enclave starts empty; no WASM apps are compiled in. Apps are loaded at runtime over the RA-TLS connection. See Build a WASM App for the full workflow.
Quick start
# 1. Build the WASM app
cd wasm-app-example
cargo component build --release
# 2. Pre-compile to .cwasm
wasmtime compile target/wasm32-wasip1/release/wasm_example.wasm -o wasm_example.cwasm
# 3. Load into the enclave
python tests/test_wasm_functions.py wasm_example.cwasmClient Libraries
Use RA-TLS clients to connect to the enclave with verification:
| Language | Package |
|---|---|
| Python | ra-tls-verify |
| Go | ratls |
| Rust | ra-tls-verify |
| TypeScript | @privasys/ra-tls |
| C# | Privasys.RaTls |
Verifying the RA-TLS certificate
# View certificate extensions
openssl s_client -connect enclave.example.com:443 </dev/null 2>&1 | \
openssl x509 -text -noout | grep -A2 "1.3.6.1.4.1.65230"Expected OIDs:
1.3.6.1.4.1.65230.1.1: Config Merkle Root1.3.6.1.4.1.65230.2.1: Egress CA Hash1.3.6.1.4.1.65230.2.3: WASM Apps Hash