diff --git a/.vitepress/sidebar.ts b/.vitepress/sidebar.ts index 7bc509ea..57219134 100644 --- a/.vitepress/sidebar.ts +++ b/.vitepress/sidebar.ts @@ -207,6 +207,13 @@ export function getSidebar() { { text: 'Run iApp without ProtectedData', link: '/guides/use-iapp/run-iapp-without-ProtectedData', + collapsed: true, + items: [ + { + text: 'Encrypt iApp Results', + link: '/guides/use-iapp/encrypt-result', + }, + ], }, { text: 'Integrate Web3 Messaging', diff --git a/README.md b/README.md index 4dde677d..42f37823 100644 --- a/README.md +++ b/README.md @@ -169,3 +169,31 @@ for input parameters: - 💬 [Discord Community](https://discord.com/invite/pbt9m98wnU) - 🐛 [Issue Tracker](https://github.com/iExecBlockchainComputing/documentation/issues) + +## TODO + +- Add link to the new explorer feature Asset_Types in the guide => + `handle-schemas-dataset-types` +- Add link to remix for deploying whitelist +- Explorer l'intégration de codeSpace +- Add a Development workflow section (1 - ProtectData, 2- ...) +- Update context7 when doc will be deployed (Martin) +- Check theGraph Images with design Team +- Update the Dune Dashboard to the final version +- Add new section in `iexec-explorer.md` file to talk about: available chain on + the UI + SRLC/RLC on account section feature of the protocol +- check glossary +- migrate pay-per-task page into a guide +- check pages (introduction & getting-started) for use-iapp guide +- Schema what is iexec to do and implement +- Give recap of Workerpool address fo chains +- Talk about ENS on Bellecour(it's not supported on arbitrum) +- Talk about encrypting results in use-iapp +- Refactor "advanced" section in build-iapp +- Rework src\get-started\protocol\iexec-doracle.md (transfer to guide or + rewrite) +- Rework src\get-started\protocol\oracle.md (transfer to guide or rewrite) +- Talk about iApp secret +- Improve Guide in build-iapp section - be more clear for builder ( how to + process process protectedData, clarify input-output guide) +- Add illustration in the different pages diff --git a/src/guides/build-iapp/advanced/build-your-first-sgx-iapp.md b/src/guides/build-iapp/advanced/build-your-first-sgx-iapp.md index 6015461e..063a7bf8 100644 --- a/src/guides/build-iapp/advanced/build-your-first-sgx-iapp.md +++ b/src/guides/build-iapp/advanced/build-your-first-sgx-iapp.md @@ -561,7 +561,6 @@ to use some confidential data to get the full potential of the **Confidential Computing** paradigm. Check out next chapters to see how: - [Access confidential assets from your iApp](access-confidential-assets.md) -- [Protect the result](/guides/build-iapp/advanced/protect-the-result.md) diff --git a/src/guides/build-iapp/outputs.md b/src/guides/build-iapp/outputs.md index b3541f53..0fb94339 100644 --- a/src/guides/build-iapp/outputs.md +++ b/src/guides/build-iapp/outputs.md @@ -145,5 +145,3 @@ Continue building with these guides: Control who can use your iApp - **[Debugging Your iApp](/guides/build-iapp/debugging)** - Troubleshoot execution issues -- **[How to Get and Decrypt Results](/guides/use-iapp/getting-started)** - - User-side result handling diff --git a/src/guides/use-iapp/encrypt-iapp-result.md b/src/guides/use-iapp/encrypt-iapp-result.md new file mode 100644 index 00000000..7a8c4bbe --- /dev/null +++ b/src/guides/use-iapp/encrypt-iapp-result.md @@ -0,0 +1,143 @@ +--- +title: Encrypt iApp Results +description: + Learn how to encrypt iApp execution results using end-to-end encryption with + your own encryption key pair +--- + +# 🔐 Encrypt iApp Results + +::: info + +If you're using DataProtector, result encryption is handled automatically within +the processProtectedData method, with the associated parameter. This section is +only needed for manual encryption when not using DataProtector. + +::: + +Secure your outputs with end‑to‑end encryption so only you (the beneficiary) can +read them. Results leave the enclave and may traverse untrusted storage and +networks; encryption ensures nobody else (operators, storage providers, +intermediaries) can access the content. + +## 1) Generate your encryption key pair + +The beneficiary key pair is the root of trust for result confidentiality. The +public key will be used inside the TEE to encrypt results for the beneficiary; +the private key stays with the beneficiary to decrypt them locally. + +Run from your iExec project directory: + +```bash +iexec result generate-encryption-keypair +``` + +This creates two files in `.secrets/beneficiary/`: + +``` +.secrets/ +└─ beneficiary/ + ├─ <0x-your-wallet-address>_key # PRIVATE KEY (keep safe) + └─ <0x-your-wallet-address>_key.pub # PUBLIC KEY +``` + +Back up the private key securely. You will only need it locally to decrypt +results. + +## 2) Push your public key to the SMS + +The Secret Management Service securely delivers your public key, at runtime, to +the enclave running your iApp. Without this, the iApp cannot encrypt outputs for +you. + +Make the public key available to TEEs at runtime: + +```bash +iexec result push-encryption-key --tee-framework scone +``` + +Verify it: + +```bash +iexec result check-encryption-key --tee-framework scone +``` + +## 3) Run the iApp with encrypted results + +The --encrypt-result flag instructs the platform to perform envelope encryption +inside the enclave using your public key, so the archive that leaves the TEE is +unreadable to others. + +Trigger a task and request encrypted outputs: + +```bash +iexec app run <0x-app-address> \ + --workerpool <0x-workerpool-address> \ + --tag tee,scone \ + --encrypt-result \ + --watch +``` + +When completed, download the results archive: + +```bash +iexec task show <0x-task-id> --download +``` + +Inside the archive, `iexec_out/result.zip.aes` is encrypted. + +Note: Results are encrypted for the task beneficiary. Ensure the beneficiary +address is yours to be able to decrypt the archive. + +If you extract the archive and try to read the encrypted file, you'll see +unreadable content: + +```bash +mkdir /tmp/trash && \ + unzip <0x-your-task-id>.zip -d /tmp/trash && \ + cat /tmp/trash/iexec_out/result.zip.aes +``` + +The output will look like: + +```bash +)3XqYvzEfRu<\ݵmm疞rc(a{{'ܼ͛q/[{hgD$g\.kj"s?"hJ_Q41_[{XԚa蘟vEr肽 +Յ]9WTL*tdzO`!e&snoL3K6L9% +``` + +This confirms the results are properly encrypted and unreadable without the +private key. + +## 4) Decrypt results locally + +Results are encrypted end‑to‑end; only your private key can decrypt them. This +step restores the plaintext so you can use the output files. + +Use your private key generated in step 1: + +```bash +iexec result decrypt iexec_out/result.zip.aes +``` + +This produces `results.zip`. Extract it to view plaintext outputs: + +```bash +unzip results.zip -d my-decrypted-result +``` + +And you can see the content of your result file: + +```bash +$ cat my-decrypted-result/result.txt +Hello, world! +``` + +Your results are now decrypted and ready to use. + +## Notes and tips + +- Keep the private key offline and backed up. +- You can rotate keys by re-running generation and push steps; old tasks remain + decryptable with the old private key. +- iApp code does not need changes to enable result encryption; it is enforced by + the TEE using the public key from SMS. diff --git a/src/guides/use-iapp/run-iapp-without-ProtectedData.md b/src/guides/use-iapp/run-iapp-without-ProtectedData.md index 36d35ed4..967fe960 100644 --- a/src/guides/use-iapp/run-iapp-without-ProtectedData.md +++ b/src/guides/use-iapp/run-iapp-without-ProtectedData.md @@ -200,3 +200,9 @@ const taskId = await iexec.order.matchOrders({ workerpoolorder: workerpoolOrders.orders[0].order, }); ``` + +## Next Steps + +For advanced use cases where you need to encrypt the results of your iApp +execution, refer to the +[Encrypt iApp Results](/guides/use-iapp/encrypt-iapp-result) guide.