Skip to main content


AWS Components

Attestation Document

Contains information about the enclave to verify the enclave’s identity and establish trust. Can be modified to user’s specifications.

Application Load Balancer

Load balancer for applications to determine how to route requests

CipherTextBlob Encrypted

Form of the key that is used to encrypt the function.


Tracks user activity and API interactions.

Network Load Balancer

Handles network workload and distributes incoming traffic

Nitro Enclaves

Amazon’s secure enclave offering. Cape currently uses AWS Nitro as a confidential computing base.


Amazon Key Management Service. Used to create and manage cryptographic keys.


Amazon Elastic Compute Cloud.

vsock Proxy

A a proxy server that runs on the parent instance and forwards vsock traffic from an enclave to a TCP endpoint. It can be run independently or as a service



On our docs, refers to Cape Privacy’s Javascript SDK

Cape CLI

Cape Command Line Interface

Cape Encrypt

A command that encrypts your data locally to protect it in-transit. cape encrypted data can only be processed by Cape Functions to deploy to the confidential computing environment

Cape Key

The public key as part of the key pair generated by cape encrypt within the KMS that is unique to your account

Cape Deploy

This command loads a customer's function and dependencies to Cape so that it can be invoked by clients later. Prior to sending any data to Cape, an attestation process assures the authenticity of the enclave. Additionally, the function is encrypted using the public key provided from the enclave within the attestation document.

Cape Run

Run This command invokes a previously deployed function within a secure enclave. The function itself, along with any data passed in, are securely processed within the enclave

Cape Test

The cape test command can be used to test the function you’re developing in an actual enclave

Deploy Folder

Folder that contains and other Python dependencies


On our docs, refers to our Python software developer kit

Cape Function or Cape Handler

The code the user deploys, usually an app where developers using Python can easily manage and integrate with Cape. Python code deployed to Cape to be securely invoked later. Note: in it has to be assigned to the cape_handler variable


Cape’s runtime within the enclave, intended to be an auditable, minimal execution environment needed to execute functions securely

Confidential Computing

Cryptographic Attestation

A process used to prove the enclave’s identity to an external service

Confidental Computing

The protection of data in use by performing computation in a hardware-based TEE or Secure Enclave. Confidential Computing is a cloud computing technology that isolates sensitive data in a protected enclave during processing

Trusted Execution Environments (TEE)

An isolated area on the main processor and encrypted RAM of a device that is separate from the main OS that can ignore threats from the rest of the device. It ensures that data is stored, processed and protected in a trusted environment. TEEs enable Secure Enclaves.

Secure Enclaves

Environment that provides for isolation of code and data from OS using hardware-based CPU-level isolation. A secure enclave has its own kernel, memory, and CPUs with no network connectivity and no persistent storage. Secure enclaves offer a process called "attestation" to verify CPU and apps running are genuine and unaltered. Secure Enclaves enable the concept of Confidential Computing. Sometimes the terms TEE and Secure Enclaves are used interchangeably

Enclave Image File (.eif)

The build instructions that are used to create the image to be run within an enclave, which executes the function, and more specifically is the file that gets loaded to initialize the running enclave.

Development & Infrastructure


Data Encryption Key, key used to encrypt data, in Cape’s case encrypting data in the enclave


Key Encryption Key, key used to encrypt another key in a process known as envelope encryption


JSON web token, an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. Creates data with an optional signature or encryption. Used for authentication and information exchange


Refers to external artifacts from s3, databases etc.


SERialization and Deserialization of (function) Inputs and Outputs is a subpackage or pycape that simplifies the serialization process for inputs and outputs of Cape handlers.


A communications protocol that provides for connection between two or more communication channels over a single TCP connection


Component which facilitates socket communication between between virtual machines and host


Asymmetric Key Encryption

Also known as Public-key Encryption. This is when a keypair is generated, one public and one private, with one key used to encrypt and another used to decrypt. This is safer than symmetric key encryption where a single key is used for both encryption and decryption.


Refer to the encrypted text that has been transformed from plaintext


When the form of information is changed to protect it from being read. An example is transforming plaintext into ciphertext

Function Checksum

The checksum of the customer function, used in attestation to verify that the function has not been altered or tampered with


A public-key encryption format. Cape uses HPKE to encrypt the customer’s function while loading the function into the enclave to receive a public key, ensuring an extra layer of security.

Hybrid Encryption

A hybrid cryptography system that combines a public key with a symmetric key encryption scheme


In cryptography, an arbitrary number that can be used once in a cryptographic communication

Symmetric Key Encryption

When encrypted data is encrypted and decrypted using the same key


Data that represents readable material. Generally, sensitive information shouldn’t be living in plaintext unprotected

Public Key

One of a keypair generated in asymmetric or public key encryption. A public key is used to encrypt information. Anyone can encrypt information with a public key, but they cannot decrypt without the corresponding private key

Private Key

One of a keypair generated in asymmetric or public key encryption. Only a private key is used for decrypting encrypted data


We are actively soliciting feedback from our beta. Please use this form to provide feedback.