// DEPLOYMENT GUIDE

From Zero to Sovereign in 45 Minutes

This guide will walk you through deploying the zcp-enclave into your AWS VPC using our CLI.

Prerequisites

AWS Account

You need an AWS account with permissions to launch EC2 instances (Nitro-enabled) and manage IAM roles.

Docker

Required for building the enclave image locally (reproducible builds) before uploading to the enclave.

1. Install the CLI

Our open-source CLI manages the enclave lifecycle, from key generation to policy updates.

# Install via Homebrew

$brew install zerocopy-systems/tap/zcp

2. Initialize Your Workspace

Create a new enclave configuration. This generates a enclave.toml file defining your signing policies.

$zcp init --name my-trading-bot

Created enclave.toml
Created policy/policy.rego

3. Deploy to AWS

The CLI will provision a dedicated Nitro Enclave instance in your VPC, build the EIF (Enclave Image File), and boot it.

$zcp deploy --region us-east-1

Security NoteThis process creates a new EC2 instance with no SSH access. Communication is only possible via the VSock proxy.

4. Verify & Sign

The enclave is now running. Verify its attestation and sign your first payload via the VSock proxy.

$zcp verify-proof ./attestation.json

$zcp sign --msg "hello world"

Ready to Automate?

Check out the full API reference for integrating the SDK into your Python/Rust bots.

API Reference Deep Dive Architecture