---
title: "Convert a container to run under EnclaveOS"
slug: "convert-a-container-to-run-under-enclaveos"
updated: 2026-04-04T02:22:39Z
published: 2026-04-04T02:22:47Z
---
> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Convert a container to run under EnclaveOS
Post/convert-image
Given an input container image and conversion options, generates a new image that runs in the Fortanix EnclaveOS environment
Body parametersExpand Allobject inputImageNamestring Required
Registry and image name for the input container, e.g. my-registry/sample-app:latest
outputImageNamestring Required
Registry and image name for the output container, e.g. my-registry/sample-app-enclaveos:latest
inputAuthConfigobject (AuthConfig)
Credentials for authenticating to a docker registry
usernamestring Required
User name for docker registry authentication
passwordstring
Password for docker registry authentication. Note that this field may be redacted when it appears in API responses.
outputAuthConfigobject (AuthConfig)
Credentials for authenticating to a docker registry
usernamestring Required
User name for docker registry authentication
passwordstring
Password for docker registry authentication. Note that this field may be redacted when it appears in API responses.
authConfigobject (AuthConfig)
Credentials for authenticating to a docker registry
usernamestring Required
User name for docker registry authentication
passwordstring
Password for docker registry authentication. Note that this field may be redacted when it appears in API responses.
isvprodidinteger (int64)
This is the enclave productId.
isvsvninteger (int64)
This is the enclave security version.
memSizestring
Override the enclave size, e.g. 2048M. Suffixes K, M, and G are supported.
threadsinteger (int32)
Number of enclave threads
debugboolean
Enables debug logging from EnclaveOS
entrypoint Array of string
Override the entrypoint of the original container
string
entrypointArgs Array of string
Override additional arguments to the container entrypoint
string
encryptedDirs Array of string
List of read-write files and/or directories which are encrypted using the enclave sealing key Default encrypted directories - enclave-os protects the content in these files by encrypting them using the enclave sealing key. Anyone is allowed to read from or write to these files but only the enclave application can see it's contents in plain text.
- /tmp
- /run
- /ftx-efs
- /opt/fortanix/enclave-os/app-config/rw
Tips while debugging -> The default encrypted directories visible to the guest application as /tmp, /run and /ftx-efs are available in the container filesystem at /opt/fortanix/enclave-os/default-efs-dirs/.
string
manifestOptionsobject
Add additional options to EnclaveOS manifest file
certificates Array of object (CertificateConfig) object issuerstring
Certificate issuance strategy
Valid values[
"MANAGER_CA",
"NODE",
"SELF_IAS"
]Default"MANAGER_CA"
subjectstring
Certificate subject common name, typically a DNS name
keyTypestring
Type of key to generate
Valid values[
"RSA"
]Default"RSA"
keyParamobject
Key parameters. Currently must be an instance of RsaKeyParam, but other types may be supported in the future.
keyPathstring
Path to expose the key in the application filesystem
certPathstring
Path to expose the certificate in the application filesystem
signingKeyobject (SigningKeyConfig)
Configures a key to sign the converted image
defaultobject (DefaultSigningKeyConfig)
Requests signing the converted image with a default key
sdkmsobject (SdkmsSigningKeyConfig)
Configures an SDKMS signing key. The key must be an RSA key with public exponent 3.
namestring
name of the signing key in SDKMS
apiKeystring
API key to authenticate with SDKMS
externalPackagesstring
Fortanix external packages mount point in the toolserver container
coreDumpPatternstring
Template for generating debug core dump file paths
logFilePathstring
Path for EnclaveOS log file
javaModestring
roDirs Array of string
List of read only directories Default read-only directories - enclave-os protects the integrity of these files and hence only allows these files to be read and not modified.
- /
- /opt/fortanix/enclave-os/app-config/ro
string
rwDirs Array of string
List of read-write files and/or directories Default read-write directories - enclave-os doesn't provide any security measures for these files and anyone is allowed to read from or write to these files.
- /etc/hosts
- /etc/resolv.conf
- /etc/hostname
string
allowCmdlineArgsboolean
Allow command line arguments to EnclaveOS application
manifestEnv Array of string
List of manifest environment variables
string
Responses200
Registry and image name for the output container (same as outputImageName in the request)
object newImagestring
Registry and image name for the output container (same as outputImageName in the request)
imageSHAstring
Shortened SHA256 Hash of the output image (This is the id of the image)
imageSizeinteger
The output image size in bytes
isvprodidinteger
This is the enclave productId which is same as the isvprodid in input request, if set. Default value is 0
isvsvninteger
This is the enclave security version which is same as the isvsvn in input request, if set. Default value is 0
mrenclavestring
This is the measurement of the enclave which uniquely identifies the shielded application. This is in hex format.
mrenclave2string
This is the measurement of the enclave which uniquely identifies the shielded application for SGX2. This is in hex format.
mrsignerstring
This is the hash of the signing key which uniquely identifies the signing key. This is in hex format.