Tutorials
Welcome to the Oyster Confidential VM tutorials! Here you'll find comprehensive, step-by-step guides that will help you master Oyster CVMs - from basic deployments to advanced concepts and implementations.
Each tutorial focuses on a specific use case, allowing you to progressively build your understanding while creating practical solutions. Follow the tutorials in sequence for the best learning experience, as concepts build upon each other.
Deploy an application
📄️ Set up your dev env
This tutorial will guide you through setting up your development environment.
📄️ Create an echo server
This tutorial will guide you through creating a simple echo server in Rust.
📄️ Publish a Docker image
This tutorial will guide you through creating a Docker image of your echo server and publishing it on Docker Hub.
📄️ Deploy on Oyster
This tutorial will guide you through deploying the echo server Docker image on Oyster and verify that it was deployed properly using remote attestations.
Initialization parameters
📄️ Initialization parameters
In this tutorial, you will learn to pass initialization parameters while deploying your application. These initialization parameters can be files or strings which need to be passed on to enclaves during startup.
Mastering deployments
📄️ Deposit and withdraw
In this tutorial, you will learn how to deposit additional funds in a job to extend its running time as well as withdraw excess funds from a job to reduce its running time.
📄️ Stop jobs
In this tutorial, you will learn how to stop running jobs.
📄️ Enable debug mode
Generally, it is not possible to see console logs of enclaves deployed in production. Oyster however allows enclaves to be deployed in debug mode so console logs are visible. This tutorial will guide you through deploying enclaves in debug mode and querying console logs.
📄️ Update deployments
Oyster lets you update the enclave image, docker compose file and other initialization parameters on an existing deployment in case you need to make updates to your code. It also lets you switch the debug mode on or off on the deployment. While these updates could be done by deploying new enclaves, updating in-place lets you retain the same IP and job id for the deployment. This tutorial will guide you through updating these parameters for existing deployments.
Key management
📄️ Ephemeral keys
Oyster provides the following keys generated during the startup phase:
📄️ Persistent keys
In the previous tutorial, we saw how to use ephemeral keys to sign messages from the enclave and verify that it came from a valid TEE. The ephemeral nature of the keys come with significant limitations - it is not possible to maintain secrets that persist across restarts and other deployments. It precludes a lot of use cases like having persistent wallets owned by the enclave, storing persistent encrypted state, etc.
📄️ Contract-based access control
In the previous tutorial, we saw how to use KMS-derived persistent keys to sign messages from the enclave and verify them. The persistent nature of the keys comes with one major limitation - it is tied to the image id. It precludes some use cases like being able to update applications while still maintaining the same keys and secrets.