Glossary
AWS Components
Contains information about the enclave to verify the enclave’s identity and establish trust. Can be modified to user’s specifications.
Load balancer for applications to determine how to route requests
Form of the key that is used to encrypt the function.
Tracks user activity and API interactions.
Handles network workload and distributes incoming traffic
Amazon’s secure enclave offering. Cape currently uses AWS Nitro as a confidential computing base.
Amazon Key Management Service. Used to create and manage cryptographic keys.
Amazon Elastic Compute Cloud.
A a proxy server that runs on the parent instance and forwards vsock traffic from an enclave to a TCP endpoint. It can be run independently or as a service
Cape
cape.js
On our docs, refers to Cape Privacy’s Javascript SDK
Cape CLI
Cape Command Line Interface
Cape Encrypt
A command that encrypts your data locally to protect it in-transit. cape encrypted data can only be processed by Cape Functions to deploy to the confidential computing environment
Cape Key
The public key as part of the key pair generated by cape encrypt within the KMS that is unique to your account
Cape Deploy
This command loads a customer's function and dependencies to Cape so that it can be invoked by clients later. Prior to sending any data to Cape, an attestation process assures the authenticity of the enclave. Additionally, the function is encrypted using the public key provided from the enclave within the attestation document.
Cape Run
Run This command invokes a previously deployed function within a secure enclave. The function itself, along with any data passed in, are securely processed within the enclave
Cape Test
The cape test command can be used to test the function you’re developing in an actual enclave
Deploy Folder
Folder that contains app.py
and other Python dependencies
pyCape
On our docs, refers to our Python software developer kit
Cape Function or Cape Handler
The code the user deploys, usually an app where developers using Python can easily manage and integrate with Cape. Python code deployed to Cape to be securely invoked later. Note: in app.py it has to be assigned to the cape_handler
variable
Runtime
Cape’s runtime within the enclave, intended to be an auditable, minimal execution environment needed to execute functions securely
Confidential Computing
Cryptographic Attestation
A process used to prove the enclave’s identity to an external service
Confidental Computing
The protection of data in use by performing computation in a hardware-based TEE or Secure Enclave. Confidential Computing is a cloud computing technology that isolates sensitive data in a protected enclave during processing
Trusted Execution Environments (TEE)
An isolated area on the main processor and encrypted RAM of a device that is separate from the main OS that can ignore threats from the rest of the device. It ensures that data is stored, processed and protected in a trusted environment. TEEs enable Secure Enclaves.
Secure Enclaves
Environment that provides for isolation of code and data from OS using hardware-based CPU-level isolation. A secure enclave has its own kernel, memory, and CPUs with no network connectivity and no persistent storage. Secure enclaves offer a process called "attestation" to verify CPU and apps running are genuine and unaltered. Secure Enclaves enable the concept of Confidential Computing. Sometimes the terms TEE and Secure Enclaves are used interchangeably
Enclave Image File (.eif)
The build instructions that are used to create the image to be run within an enclave, which executes the function, and more specifically is the file that gets loaded to initialize the running enclave.
Development & Infrastructure
DEK
Data Encryption Key, key used to encrypt data, in Cape’s case encrypting data in the enclave
KEK
Key Encryption Key, key used to encrypt another key in a process known as envelope encryption
JWT
JSON web token, an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. Creates data with an optional signature or encryption. Used for authentication and information exchange
Resources
Refers to external artifacts from s3, databases etc.
Serdio
SERialization and Deserialization of (function) Inputs and Outputs is a subpackage or pycape that simplifies the serialization process for inputs and outputs of Cape handlers.
WebSocket
A communications protocol that provides for connection between two or more communication channels over a single TCP connection
vsock
Component which facilitates socket communication between between virtual machines and host
Encryption
Asymmetric Key Encryption
Also known as Public-key Encryption. This is when a keypair is generated, one public and one private, with one key used to encrypt and another used to decrypt. This is safer than symmetric key encryption where a single key is used for both encryption and decryption.
Ciphertext
Refer to the encrypted text that has been transformed from plaintext
Encryption
When the form of information is changed to protect it from being read. An example is transforming plaintext into ciphertext
Function Checksum
The checksum of the customer function, used in attestation to verify that the function has not been altered or tampered with
HPKE
A public-key encryption format. Cape uses HPKE to encrypt the customer’s function while loading the function into the enclave to receive a public key, ensuring an extra layer of security.
Hybrid Encryption
A hybrid cryptography system that combines a public key with a symmetric key encryption scheme
Nonce
In cryptography, an arbitrary number that can be used once in a cryptographic communication
Symmetric Key Encryption
When encrypted data is encrypted and decrypted using the same key
Plaintext
Data that represents readable material. Generally, sensitive information shouldn’t be living in plaintext unprotected
Public Key
One of a keypair generated in asymmetric or public key encryption. A public key is used to encrypt information. Anyone can encrypt information with a public key, but they cannot decrypt without the corresponding private key
Private Key
One of a keypair generated in asymmetric or public key encryption. Only a private key is used for decrypting encrypted data