@elizaos/plugin-tee
A plugin for handling Trusted Execution Environment (TEE) operations, providing secure key derivation and remote attestation capabilities.
Overview​
This plugin provides functionality to:
- Generate secure keys within a TEE environment
- Derive Ed25519 keypairs for Solana
- Derive ECDSA keypairs for Ethereum
- Generate remote attestation quotes
- Manage wallet interactions with TEE-derived keys
Installation​
npm install @elizaos/plugin-tee
Configuration​
The plugin requires the following environment variables:
TEE_MODE=LOCAL|DOCKER|PRODUCTION
WALLET_SECRET_SALT=your_secret_salt # Required for single agent deployments
TEE_VENDOR=phala # Phala Cloud supported only currently
Usage​
Import and register the plugin in your Eliza configuration:
import { teePlugin } from '@elizaos/plugin-tee';
export default {
plugins: [teePlugin],
// ... other configuration
};
Features​
DeriveKeyProvider​
The DeriveKeyProvider allows for secure key derivation within a TEE environment:
import { DeriveKeyProvider } from '@elizaos/plugin-tee';
// Initialize the provider
const provider = new DeriveKeyProvider();
// Derive a raw key
const rawKey = await provider.rawDeriveKey('/path/to/derive', 'subject-identifier');
// rawKey is a DeriveKeyResponse that can be used for further processing
const rawKeyArray = rawKey.asUint8Array();
// Derive a Solana keypair (Ed25519)
const solanaKeypair = await provider.deriveEd25519Keypair('/path/to/derive', 'subject-identifier');
// Derive an Ethereum keypair (ECDSA)
const evmKeypair = await provider.deriveEcdsaKeypair('/path/to/derive', 'subject-identifier');
RemoteAttestationProvider​
The RemoteAttestationProvider generates remote attestations within a TEE environment:
import { RemoteAttestationProvider } from '@elizaos/plugin-tee';
const provider = new RemoteAttestationProvider();
const attestation = await provider.generateAttestation('your-report-data');
Development​
Requirements​
Create a TEE Project Starter​
elizaos create tee-agent --tee
Authenticate Your Phala Cloud Account​
# cd into directory and authenticate your Phala Cloud API Key
cd tee-agent
elizaos tee phala auth login
Build and Publish Docker Image​
# Log into Docker and ensure docker is running
elizaos tee phala docker build
# Publish the Docker image you built
elizaos tee phala docker push
Generate Docker Compose File​
# Generate a Docker Compose file or update the image in the existing docker compose file
elizaos tee phala docker generate --template eliza
Deploy to Phala Cloud​
# Create and deploy a CVM
elizaos tee phala cvms create --name elizaos -c <docker-compose-file> -e <path-to-env>
Upgrade Agent in Phala Cloud​
elizaos tee phala cvms upgrade -c <docker-compose-file> -e <path-to-env-(optional)>
Get Agent's Remote Attestation Report​
elizaos tee phala cvms attestation <app-id>
Local Development​
To get a TEE simulator for local testing, use the following commands:
# Start the simulator
elizaos tee phala simulator start
# Run your docker compose file
docker compose up
Dependencies​
@phala/dstack-sdk: Core TEE functionality@solana/web3.js: Solana blockchain interactionviem: Ethereum interaction library- Other standard dependencies listed in package.json
API Reference​
Actions​
phalaRemoteAttestationAction: Action to generate a remote attestation report on the processed message and upload the attestation report to https://proof.t16z.com
Providers​
deriveKeyProvider: Manages secure key derivation within TEEremoteAttestationProvider: Handles generation of remote attestation quoteswalletProvider: Manages wallet interactions with TEE-derived keys
Services​
TEEService: Service to use the key generation functions to generate keys for EVM or Solana based blockchains
Types​
enum TEEMode {
OFF = 'OFF',
LOCAL = 'LOCAL', // For local development with simulator
DOCKER = 'DOCKER', // For docker development with simulator
PRODUCTION = 'PRODUCTION', // For production without simulator
}
interface RemoteAttestationQuote {
quote: string;
timestamp: number;
}
Future Enhancements​
-
Key Management
- Advanced key derivation schemes
- Multi-party computation support
- Key rotation automation
- Backup and recovery systems
- Hardware security module integration
- Custom derivation paths
-
Remote Attestation
- Enhanced quote verification
- Multiple TEE provider support
- Automated attestation renewal
- Policy management system
- Compliance reporting
- Audit trail generation
-
Security Features
- Memory encryption improvements
- Side-channel protection
- Secure state management
- Access control systems
- Threat detection
- Security monitoring
-
Chain Integration
- Multi-chain support expansion
- Cross-chain attestation
- Chain-specific optimizations
- Custom signing schemes
- Transaction privacy
- Bridge security
-
Developer Tools
- Enhanced debugging capabilities
- Testing framework
- Simulation environment
- Documentation generator
- Performance profiling
- Integration templates
-
Performance Optimization
- Parallel processing
- Caching mechanisms
- Resource management
- Latency reduction
- Throughput improvements
- Load balancing
We welcome community feedback and contributions to help prioritize these enhancements.
Contributing​
Contributions are welcome! Please see the CONTRIBUTING.md file for more information.
Credits​
This plugin integrates with and builds upon several key technologies:
- Phala Cloud: TEE Cloud Hosting Platform built by Phala Network
- @phala/dstack-sdk: dstack SDK for key generation and remote attestation function calls
- @solana/web3.js: Solana blockchain interaction
- viem: Ethereum interaction library
- Dstack Deep Wiki: dstack is a developer-friendly platform designed to simplify the deployment of containerized applications into Trusted Execution Environments (TEEs)
Special thanks to:
- The Phala Network team for their TEE infrastructure
- The Intel SGX/TDX team for TEE technology
- The dstack SDK maintainers
- The Eliza community for their contributions and feedback
For more information about TEE capabilities:
License​
This plugin is part of the Eliza project. See the main project repository for license information.