Skip to content

Encrypted Python Programs and Encrypted Input

With the help of a simple wordcount Python program, we show how to execute encrypted Python code inside of an SGX enclave. In this example, we also show how to encrypt an input file. The Python engine itself also runs inside the same enclave.

We put both the Python code as well as the input file of the wordcount in the same encrypted filesystem. Typically, we would put the Python code in the encrypted filesystem of the image and the encrypted input and output files in one or more encrypted volumes mapped into the container.

SCONE Configuration

This Python image that we use is not intended for production usage

The Python libraries in the Python base image **are not encrypted*. Moreover, the Python engine runs inside of a debug enclave. Contact us, if you need a production-ready Python engine with encrypted Python libraries.*

You require access to the images

Just register a free account on

Getting the Code

After you gotten access to the repos, you can get the code via:

git clone

and then enter directory EncryptedWordCount

cd EncryptedWordCount


The Python source code and the input file is stored in directory native-files/. The code is just some very simple Python code to count the frequency of words in a given file:

import sys

for word in
    if word not in wordcount:
        wordcount[word] = 1
        wordcount[word] += 1
for k,v in wordcount.items():
    print(k, v)

Creating Image with Encrypted wordcount

The repository includes a script that

  • encrypts the files in directory native-files/: the files are integrity, confidentiality and rollback protected
  • attests that CAS is a proper CAS running inside an enclave and then stores the TLS certificate of the CAS in the local file system
  • generates a docker image containing a Python engine which runs inside of an enclave
  • pushes a security policy to CAS via TLS (checking the certificate of CAS) that includes (a) the encryption key of the encrypted files, and (b) limits access to the generated image
  • access to the security policy is controlled via a self-generated key pair

Perform all of the above steps by executing the following shell script:


This creates an image encryptedwordcount stored in the local registry and a session in a SCONE Configuration and Attestation Service (CAS) running on a remote site.

We assume in this demo that the creation of the wordcount image is performed on a trusted host. The execution of the wordcount can be performed on an untrusted host. For simplicity, we execute on the same host.

Running the wordcount image

First, read some environment variables set by ./

source myenv

and then start the with docker-compose:

docker-compose up

You will see quite some log output ending with

python_1  | scone 1
python_1  | region. 3
python_1  | Hence, 1
python_1  | {ephemeral 1
python_1  | without 1
python_1  | command 1
python_1  | File 1
python_1  | mechanisms. 1
python_1  | region: 1
python_1  | the 19
python_1  | path. 1
python_1  | document. 1
encryptedwordcount_python_1 exited with code 0

Stop the compose file with control-C.

You can run it again by executing docker-compose up again.


Cleanup afterwards by executing:


before starting it with ./ and docker-compose up again.

Note: Please read Hello World tutorial to learn more about the technical details.