Cape Deploy
cape deploy sends a function, for example an app, and data to a Cape secure enclave.
When a function is sent or deployed to Cape, it is doubly encrypted using envelope encryption. A function ID and checksum are also generated for future verification during cape run.
During the deployment process, Cape's runtime generates a key pair. The public key—-the Cape Key is sent back to the user for encrypting. The private key never leaves KMS. During this process, attestation verifies the identity of the enclave. If the attestation passes, a generated Data Encryption Key encrypts the data. This DEK is then encrypted with RSA using the Cape Key and Function is then encrypted with AES by the enclave using HPKE to create the encryption envelope and then stored in the Cape infrastructure.