anjuna-nitro-cli build-enclave

Builds an enclave image from a Docker image and saves it to a file.

SYNOPSIS

anjuna-nitro-cli build-enclave [OPTIONS] --docker-uri <docker-uri> --output-file <output-file>

DESCRIPTION

Launching a Nitro Enclave requires an Enclave Image File (eif). The anjuna-nitro-cli build-enclave tool creates an Enclave Image File from a Docker container and provides the enclave’s measurements.

The Docker container can be specified by:

  • a Docker URI to any Docker registry you have access to (for example 1122334455.dkr.ecr.us-east-1.amazonaws.com/hello-world:latest)

  • a local URI (for example hello-world:latest)

  • a directory that contains a Dockerfile

When building the enclave, you can specify an enclave configuration file (using the --enclave-config-file command-line option) and override some of the attributes defined in the Docker image without updating the Docker image itself:

  • environment variables

  • startup command specified in the container (CMD/ENTRYPOINT)

  • configuration files

  • default user

In the enclave configuration file, you can also specify the S3 bucket that contains the encrypted secrets for the enclave. See Nitro Enclave Configuration for a complete description of the file format used to specify the enclave configuration.

OPTIONS

anjuna-nitro-cli build-enclave [OPTIONS] --docker-uri <docker-uri> --output-file <output-file>

FLAGS:
-h, --help       Prints help information
-V, --version    Prints version information

OPTIONS:
    --docker-dir <docker-dir>                      Local path to a directory containing a Dockerfile
    --docker-uri <docker-uri>
        Uri pointing to an existing docker container or to be created  locally when docker-dir is present

    --enclave-config-file <enclave-config-file>    Local path to an enclave configuration file
    --output-file <output-file>                    Location where the Enclave Image should be saved
    --private-key <private-key>                    Local path to developer's Eliptic Curve private key.
    --signing-certificate <signing-certificate>    Local path to developer's X509 signing certificate.

EXIT STATUS

  • 0 on success

  • 1 on error

EXAMPLE

The following command converts the Nginx Docker image (from Dockerhub) to an enclave image file named nginx.eif.

$ anjuna-nitro-cli build-enclave --docker-uri nginx:latest --output-file nginx.eif

which produces output similar to this:

Enclave Image successfully created.
{
  "Measurements": {
    "HashAlgorithm": "Sha384 { ... }",
    "PCR0": "....",
    "PCR1": "....",
    "PCR2": "...."
  }
}