Skip to main content

Glossary

AWS Components

Attestation Document

Contains information about the enclave to verify the enclave’s identity and establish trust. Can be modified to user’s specifications.

Application Load Balancer

Load balancer for applications to determine how to route requests

CipherTextBlob Encrypted

Form of the key that is used to encrypt the function.

Cloudtrail

Tracks user activity and API interactions.

Network Load Balancer

Handles network workload and distributes incoming traffic

Nitro Enclaves

Amazon’s secure enclave offering. Cape currently uses AWS Nitro as a confidential computing base.

KMS

Amazon Key Management Service. Used to create and manage cryptographic keys.

EC2

Amazon Elastic Compute Cloud.

vsock Proxy

A a proxy server that runs on the parent instance and forwards vsock traffic from an enclave to a TCP endpoint. It can be run independently or as a service

Cape

cape.js

On our docs, refers to Cape Privacy’s Javascript SDK

Cape CLI

Cape Command Line Interface

Cape Encrypt

A command that encrypts your data locally to protect it in-transit. cape encrypted data can only be processed by Cape Functions to deploy to the confidential computing environment

Cape Key

The public key as part of the key pair generated by cape encrypt within the KMS that is unique to your account

Cape Deploy

This command loads a customer's function and dependencies to Cape so that it can be invoked by clients later. Prior to sending any data to Cape, an attestation process assures the authenticity of the enclave. Additionally, the function is encrypted using the public key provided from the enclave within the attestation document.

Cape Run

Run This command invokes a previously deployed function within a secure enclave. The function itself, along with any data passed in, are securely processed within the enclave

Cape Test

The cape test command can be used to test the function you’re developing in an actual enclave

Deploy Folder

Folder that contains app.py and other Python dependencies

pyCape

On our docs, refers to our Python software developer kit

Cape Function or Cape Handler

The code the user deploys, usually an app where developers using Python can easily manage and integrate with Cape. Python code deployed to Cape to be securely invoked later. Note: in app.py it has to be assigned to the cape_handler variable

Runtime

Cape’s runtime within the enclave, intended to be an auditable, minimal execution environment needed to execute functions securely

Confidential Computing

Cryptographic Attestation

A process used to prove the enclave’s identity to an external service

Confidental Computing

The protection of data in use by performing computation in a hardware-based TEE or Secure Enclave. Confidential Computing is a cloud computing technology that isolates sensitive data in a protected enclave during processing

Trusted Execution Environments (TEE)

An isolated area on the main processor and encrypted RAM of a device that is separate from the main OS that can ignore threats from the rest of the device. It ensures that data is stored, processed and protected in a trusted environment. TEEs enable Secure Enclaves.

Secure Enclaves

Environment that provides for isolation of code and data from OS using hardware-based CPU-level isolation. A secure enclave has its own kernel, memory, and CPUs with no network connectivity and no persistent storage. Secure enclaves offer a process called "attestation" to verify CPU and apps running are genuine and unaltered. Secure Enclaves enable the concept of Confidential Computing. Sometimes the terms TEE and Secure Enclaves are used interchangeably

Enclave Image File (.eif)

The build instructions that are used to create the image to be run within an enclave, which executes the function, and more specifically is the file that gets loaded to initialize the running enclave.

Development & Infrastructure

DEK

Data Encryption Key, key used to encrypt data, in Cape’s case encrypting data in the enclave

KEK

Key Encryption Key, key used to encrypt another key in a process known as envelope encryption

JWT

JSON web token, an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. Creates data with an optional signature or encryption. Used for authentication and information exchange

Resources

Refers to external artifacts from s3, databases etc.

Serdio

SERialization and Deserialization of (function) Inputs and Outputs is a subpackage or pycape that simplifies the serialization process for inputs and outputs of Cape handlers.

WebSocket

A communications protocol that provides for connection between two or more communication channels over a single TCP connection

vsock

Component which facilitates socket communication between between virtual machines and host

Encryption

Asymmetric Key Encryption

Also known as Public-key Encryption. This is when a keypair is generated, one public and one private, with one key used to encrypt and another used to decrypt. This is safer than symmetric key encryption where a single key is used for both encryption and decryption.

Ciphertext

Refer to the encrypted text that has been transformed from plaintext

Encryption

When the form of information is changed to protect it from being read. An example is transforming plaintext into ciphertext

Function Checksum

The checksum of the customer function, used in attestation to verify that the function has not been altered or tampered with

HPKE

A public-key encryption format. Cape uses HPKE to encrypt the customer’s function while loading the function into the enclave to receive a public key, ensuring an extra layer of security.

Hybrid Encryption

A hybrid cryptography system that combines a public key with a symmetric key encryption scheme

Nonce

In cryptography, an arbitrary number that can be used once in a cryptographic communication

Symmetric Key Encryption

When encrypted data is encrypted and decrypted using the same key

Plaintext

Data that represents readable material. Generally, sensitive information shouldn’t be living in plaintext unprotected

Public Key

One of a keypair generated in asymmetric or public key encryption. A public key is used to encrypt information. Anyone can encrypt information with a public key, but they cannot decrypt without the corresponding private key

Private Key

One of a keypair generated in asymmetric or public key encryption. Only a private key is used for decrypting encrypted data