Enclavia

EnclaviaProvable computation, as simple as pushing a Docker image.

Run your container inside an attested enclave. End-to-end encryption from the browser. Public beta.

Install the CLI
Push your first image

Push, then run

Build any Docker image. `enclavia push` uploads it to your private registry namespace. `enclavia enclave create` boots it inside an AWS Nitro enclave.

Attested by default

Every connection performs a Noise NN handshake, requests an attestation document, and verifies PCR0/1/2 against the image you pushed. No remote agent, no extra steps.

Encrypted from the browser

The included WASM-friendly client speaks the Noise channel directly to the enclave over a WebSocket proxy. The plaintext never leaves the user's device or the enclave.

Storage sealed to your enclave

Optional persistent volumes are LUKS-encrypted with a passphrase held in AWS KMS. The key is only released after attestation matches your image's PCRs, so the data is bound to the same identity as the code that wrote it.

Drive it from Claude

A hosted MCP server lets you manage enclaves from Claude (web or Desktop) in natural language. Same OAuth identity as the CLI, scoped per user, revocable from the dashboard.

What is Enclavia

Enclavia is a managed platform for running container workloads inside hardware-attested enclaves. You point it at a Docker image; it builds an enclave image, boots it on Nitro hardware, and exposes it behind a WebSocket proxy that speaks an end-to-end encrypted channel directly to the enclave.

The pieces a user touches:

  • enclavia CLI — authenticate, push images, create and manage enclaves.
  • enclavia client library (Rust) — connect from a server or browser, verify attestation, send HTTP through the encrypted channel.
  • Backend APIhttps://api.beta.enclavia.io. Documented implicitly through the CLI.
  • MCP serverhttps://mcp.beta.enclavia.io/mcp. Lets Claude drive your enclaves over the Model Context Protocol with the same identity the CLI uses.

Where to start

  1. Install the CLI.
  2. Authenticate by approving a session in the web UI.
  3. Push an image to your private registry namespace.
  4. Create an enclave from that image.
  5. Connect to it from your code, or drive Claude at the same enclaves over MCP.

Beta scope

The public beta runs at beta.enclavia.io and is intended for evaluation. Image references resolve against registry.beta.enclavia.io under your handle (the user-chosen identifier set during onboarding). The CLI talks to https://api.beta.enclavia.io and the encrypted client connects to enclaves under enclaves.beta.enclavia.io.

For AI agents

A machine-readable index of these docs is published at /llms.txt — the convention for surfacing documentation to LLMs without parsing HTML. Feed it to your agent of choice.

Built for AI agents too — fetch /llms.txt for a machine-readable index of these docs.

Enclavia · provable computation, as simple as pushing a Docker image.