Help Center/ Elastic Cloud Server/ User Guide/ QingTian Enclave Management/ Examples of Using QingTian Enclave/ Creating a QingTian Enclave Image
Updated on 2025-07-14 GMT+08:00
View PDF
Share

Creating a QingTian Enclave Image

After a QingTian Enclave application is developed, you need to create a QingTian Enclave image file (.eif) in a trusted environment. The QingTian Enclave image file contains everything required to launch a QingTian Enclave instance, including the application code, runtime dependencies, operating system, and file system. This section describes how to create a QingTian Enclave image file.

  1. Create a Docker source image.

    Package the QingTian Enclave application and its execution environment into a Docker image. For details, see QingTian Enclave Application Development on Linux.

  2. Obtain the image from the image library.

    The following uses the Ubuntu image provided in the Docker repository as an example. Obtain the image source from Docker (networking needs to be configured for query). Run the following command to query the image source:

    docker search ubuntu

    Pull the Ubuntu image locally:

    docker pull ubuntu

    After the Ubuntu image is pulled locally, run the following command:

    docker image ls

    If you use a Docker image locally, directly perform step 3 to convert the image.

  3. Convert the image.

    Convert the Docker image to a QingTian Enclave image.

    1. (Optional) Create a private key (private-key.pem) and certificate (server.pem) using OpenSSL or other tools. 
      openssl ecparam -out private-key.pem -name secp384r1 -genkey
openssl req -new -key private-key.pem -out ssl.csr
openssl x509 -req -days 365 -in ssl.csr -signkey private-key.pem -out server.pem

      For security purposes, only the elliptic curve cryptography and secp384r1 elliptic curve are supported.

    2. Convert the Docker image to a QingTian Enclave image.
      In the qt make-img command, the parameters for the Docker source image and the generated target QingTian Enclave image are mandatory. 
      # qt enclave make-img --docker-uri ubuntu --eif  /home/docker/ubuntu.eif --private-key  /home/docker/private-key.pem --signing-certificate  
/home/docker/server.pem
{     
     "digest":       "SHA384", 
     "PCR0": "b8c59692da8a5bcb739a83d15a0ceca670bd78da06cb2250ec70548f72254e674419e9888db9c0364a9b88dd58017a62"
     "PCR8": "dbf4a7f9fab7f18619b5899c407081981ad6762fb9a809da78548821b5021965423181584acd7b201703376f1133a546"
}

    Then you have obtained a QingTian Enclave image. You will get a set of PCR0 and PCR8. These hashes are measurements of the instance and can be used as condition keys in IAM authorization policies to implement conditional access control over KMS APIs. For details, see PCR.

Parent Topic: Examples of Using QingTian Enclave