Deploy on Caution-managed infrastructure¶
Deploy your first application on Caution's fully managed platform using AWS Nitro Enclaves. Your first deployment should take about 10 minutes.
What is fully managed?¶
Fully managed is a deployment model where Caution hosts and operates the deployment environment end-to-end on Caution-managed infrastructure. For full details, see the fully managed reference.
AWS Nitro support today
Caution currently supports deployments on AWS Nitro Enclaves. We are actively working on support for Intel TDX, AMD SEV-SNP, and TPM 2.0 attestations.
What you need¶
Before you begin, ensure you have the following:
| What you'll need | Details |
|---|---|
| Access code | Request access at info@caution.co |
| Passkey | Browser or platform passkey, password manager passkey, or security key or smart card (YubiKey, NitroKey, or LibremKey) |
| CLI | Supported today on Linux (x86_64) or macOS (arm64) (install) |
| Git | For cloning and pushing repositories (install) |
| Docker | With containerd image store enabled (install) |
| Containerized app | Your application must be containerized |
Install the CLI¶
Follow the installation instructions in the CLI README.
Create an account¶
To create an account, you'll need a valid access code and a passkey. You can register in the browser or with the CLI.
If you do not have an access code, request one at info@caution.co.
- Go to dashboard.caution.co
- Enter your access code
- Use your passkey method
- Click Continue
- Approve Passkey interaction when prompted
Add an SSH key¶
Add an SSH key so you can authenticate your Caution deployments:
Add an SSH key from the browser dashboard.
Select an application¶
Deploy your own containerized application, or start with one of the Caution demo apps. For this guide, use hello-world-enclave:
Initialize the application¶
From your application directory, run the following command to create a Procfile and other data required for the application:
A Procfile defines how to run your application and which ports to expose. If you're using one of Caution's demo apps, a Procfile is already included. If you're deploying your own application, you'll need to create one. See the Procfile reference.
Commit the generated Procfile and .caution/deployment.json to your repository. The deployment file stores the Caution app resource ID so CLI commands can infer the target app from the repository.
For your own app, make sure the container builds from the repository root with the standard Docker form:
If you use another file, set containerfile in the Procfile and replace Containerfile with that path. Caution uses this build shape and does not pass extra build arguments, so public build-time values need to be part of the image inputs. Use Locksmith for secrets.
At minimum, your Procfile should specify how to run your application:
For source verification, add your repository URL:
Add environment variables¶
If your application needs environment variables, use Key services before deploying. The guide covers non-encrypted variables for public configuration and encrypted variables for secrets, including how to deploy Keymaker, generate shard-holder OpenPGP keys, create a quorum bundle, encrypt values from .env, and enable Locksmith in your Procfile.
Skip this step if your application does not need environment variables.
Deploy the application¶
From your application directory, push the code to Caution:
Caution builds a reproducible enclave image with the standard Docker build and deploys it into the enclave.
Verify the deployment¶
From your application directory, run the following command to rebuild the image, compare hashes, and confirm exactly what the enclave is running:
Next steps¶
Your application is now running in a verified enclave. Here's what to explore next:
-
Deployment configuration
Configure source verification and networking options.
-
Set up a custom domain
Use your own domain name for deployments.
-
Verifiability
Learn how Caution ensures code integrity from source to production.
-
Procfile
Configure how your application runs and verifies.