Provenclave proofs are created inside an AWS Nitro Enclave — hardware-isolated memory with no persistent storage, no shell access, and no network path except a constrained vsock channel. This page publishes everything you need to independently verify what code is running and what guarantees it provides.
What the Trusted Execution Environment guarantees
Private key never leaves the enclave. Ed25519 keypair is generated inside hardware-isolated memory at boot. There is no API to export it.
Code is measured at boot. The enclave image is hashed into a PCR0 measurement before execution begins. Any change to the code — one byte — produces a different measurement.
Proofs are ordered and irreversible. A monotonic counter increments with every proof. The counter is anchored to DynamoDB with a conditional write — it can never go backward.
Attestation is hardware-signed. The Nitro Security Module signs an attestation document binding the public key to the PCR0 measurement. This signature comes from AWS hardware, not from us.
Live enclave
Fetched from https://nitro.occproof.com/key · connecting...
Verify it yourself
The enclave source is public. You can rebuild the image locally and confirm it produces the same PCR0 shown above.
Clone the repo and build the enclave image:
git clone https://github.com/mikeargento/provenclave.git
cd provenclave/server/commit-service
make docker && make eif
The build outputs a PCR0 hash. Compare it to the measurement above.
If they match, you know exactly what code is running inside the enclave. No trust required — just math.
Verify any proof offline
Proofs are self-contained JSON. Verification requires no network call, no API key, no external service. Everything needed to check a proof is inside the proof itself.
See your data. Only 32-byte SHA-256 digests enter the enclave. Your files never leave your machine.
Forge proofs. The signing key exists only in hardware-isolated memory. We have no mechanism to extract it.
Reorder proofs. The monotonic counter is anchored to an external store with a conditional write. Rolling it back would fail the condition check.
Silently change the code. Any modification to the enclave image changes the PCR0 measurement, which changes the attestation document, which invalidates all existing proofs verified against the old measurement.