Go to production

Before going any further, make sure you managed to:

Connect to the production environment

To connect to the production environment, make sure your chain.json content is as follows:

  "default": "bellecour",
  "chains": {
    "bellecour": {}

Do not forget to target a production workerpool when running a production application:

iexec app run <0x-your-app-address> \
    --workerpool prod-v8-bellecour.main.pools.iexec.eth \

Standard application

If you are developing a standard application, then you are already set. To reach more audience, you can publish your app to the Dapps store.

Confidential Computing application

The following applies only to the Scone framework.

If you are developing a Confidential Computing application, be aware of following information.

Sign your application

Any Confidential Computing application built previously on the develop environment runs in a debug enclave, which, as warned, might be inspected.

To run your application in a production enclave, the application needs to be signed with a key compatible with the Intel® Attestation Service (IAS). Create this key in your Intel developer Portal.

When the key is created (my-signer-key.pem), update the previous sconify.sh script by :

  • sharing the folder containing the my-signer-key.pem, here /signer

  • adding the --scone-signer option

docker run -it \
            -v /signer:/signer \
            registry.scontain.com/scone-production/iexec-sconify-image:<version> \
            sconify_iexec \
            --scone-signer=/signer/my-signer-key.pem \

Impacts of the SMS in enclave

As you have already learned in previous confidential assets section, the iExec SMS is a crucial component for TEE tasks on iExec, being in charge of:

  • storing all secrets of iExec users (application developer, requester, dataset owner)

  • defining - by following on-chain governance - which secrets are accessible to a specific enclave.

To reach a higher level of security on the production environment, the iExec SMS runs inside an enclave.

Below is a graph showing how the secrets and session mechanism works:

As seen in this diagram, required secrets are transferred to an authorized Application enclave over an RA-TLS channel (Remote Attestation).

Inside Security Services (yellow area in above diagram), all secrets are protected by an SMS database encryption key, itself backed by the CAS. The SMS enclave needs to prove its authenticity and integrity to the CAS in order to get access to its database encryption key.

To reach a higher level of security, the CAS enclave, which is the only component aware of the SMS database encryption key, is itself sealed to a specific platform enclave.

With that pattern, no one, even an administrator or someone with root privileges, can inspect confidential assets of users.

Backup your secrets

Always keep a local copy of your secrets. For security reasons, it is not possible to extract your secret from the SMS. In other words, the SMS only allows you to share secrets securely in order to process confidential computing tasks.

Publish your app to the Dapps store

To get more visibility for your application, make your application available on the Dapps store. To get there, follow instructions inside the iexec-dapps-registry repository. For any trouble, contact the iExec Help Center.

Last updated