Configuration
enclavely.yaml reference and project configuration options.
The enclavely.yaml file lives at the root of your service directory. It defines runtime, deploy defaults, and service contract settings.
Full example
name: payments-service
runtime:
dockerfile: Dockerfile
enclave_entrypoint: ./bin/server
deploy:
cpu_count: 2
memory_mib: 4096
healthcheck_path: /healthz
service_contract:
contract_version: v1
transport: http1-vsock
enclave:
cid: 16
port: 8080
healthcheck_path: /healthz
readiness_path: /readyz
attestation_required: true
capabilities: [decrypt]
attestation:
pcrs:
"0": "<expected-hash>"
"1": "<expected-hash>"
secrets:
- STRIPE_API_KEY
- DB_URLReference
name
Project name. Match this to the project you created in Enclavely.
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Unique project identifier (e.g. payments-service). Must match the name used when running enclavely project create. |
runtime
Defines build inputs and entrypoint.
| Field | Type | Required | Description |
|---|---|---|---|
dockerfile | string | Yes | Path to the Dockerfile used to build the enclave image, relative to the project root. |
enclave_entrypoint | string | Yes | Binary/script that starts your service process. |
runtime:
dockerfile: Dockerfile
enclave_entrypoint: ./bin/serverdeploy
Controls deploy defaults for your service.
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
cpu_count | integer | Yes | -- | Requested CPU allocation. |
memory_mib | integer | Yes | -- | Requested memory (MiB). |
healthcheck_path | string | No | /healthz | Health endpoint path. |
deploy:
cpu_count: 2
memory_mib: 4096
healthcheck_path: /healthzservice_contract
Defines the runtime contract Enclavely enforces during deploy and health checks.
| Field | Type | Required | Description |
|---|---|---|---|
contract_version | string | Yes | Contract schema version. Currently must be v1. |
transport | string | Yes | Transport protocol used to communicate with the enclave. Supported value: http1-vsock. |
enclave | object | Yes | Enclave connection and behavior configuration. See below. |
service_contract.enclave
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
cid | integer | Yes | -- | vsock CID (typically 16). |
port | integer | Yes | -- | The vsock port the enclave listens on. |
healthcheck_path | string | Yes | /healthz | Health endpoint path inside enclave transport. |
readiness_path | string | Yes | /readyz | Readiness endpoint path. |
attestation_required | boolean | Yes | true | Enforce attestation before routing traffic. |
capabilities | string[] | Yes | [decrypt] | Supported values: sign, decrypt. |
service_contract:
contract_version: v1
transport: http1-vsock
enclave:
cid: 16
port: 8080
healthcheck_path: /healthz
readiness_path: /readyz
attestation_required: true
capabilities: [decrypt]attestation
Expected PCR measurements for attestation.
| Field | Type | Required | Description |
|---|---|---|---|
pcrs | map[string, string] | No | A map of PCR index to expected SHA-384 hash. Common indices are "0" (enclave image) and "1" (Linux kernel). |
attestation:
pcrs:
"0": "abc123..."
"1": "def456..."secrets
A list of secret names your service expects at runtime.
| Field | Type | Required | Description |
|---|---|---|---|
secrets | string[] | No | List of environment variable names the enclave expects to receive as encrypted secrets. |
secrets:
- STRIPE_API_KEY
- DB_URLThe secrets list declares names only. Do not store secret values in this file.
Never put secret values in enclavely.yaml.
Generating a configuration
Run enclavely init in your project directory to generate an enclavely.yaml interactively:
enclavely initThe wizard writes a valid starting config.
Validating your configuration
Use build as a config validator:
enclavely build --config enclavely.yamlIf validation fails, the CLI prints the exact field error.
Next steps
- Quick Start — deploy your first enclave end to end
- Installation — CLI setup and project creation