# Deploy a vault in an enclave

These steps describe how to deploy a vault in an AWS Nitro enclave to connect your HSM to Ripple Custody.

These steps require support assistance from Ripple to complete. For more information, contact your Ripple liaison.

## Prerequisites

To configure AWS CloudHSM to work with Ripple Custody, you need:

- From Ripple:
  - An AWS enclave Terraform script
  - The `encrypt-cli` tool
- From your Ripple Custody environment:
  - The notary messaging public key, retrieved with a call to the [List system properties](/products/custody/v1.15/api/reference/openapi/systemproperties/getsystemproperties) API operation.


## Deploy the vault

To deploy the vault:

1. Create your enclave contract, in a format similar to the following Podman Play YAML file:

```json
# Enclave configuration (required)
kind: Enclave
apiVersion: v1
#
# specify if enclaves requires disk storage via NBD
requireVarDisk: false
requireDataDisk: false
#
# base64 encoded disk encryption keys, min=32 byte. If empty keys are auto-generated on every boot!
# Example: dd if=/dev/random bs=1 count=32 | base64
encryptionKeyVar: <i-cannot-share-this>
encryptionKeyData: <i-cannot-share-this>
#
# auths: login credentials for private container registries (optional)
auths:
  - registry: metaco.azurecr.io
    username: <i-cannot-share-this>
    password: <i-cannot-share-this>
hostname: enclave-vault-1
---
# POD definition (required)
# Pod configuration map (optional)
kind: ConfigMap
apiVersion: v1
metadata:
  name: config
data:
  
---
kind: Pod
apiVersion: v1
metadata:
  name: vault-pod
spec:
  volumes:
    - name: config
      configMap:
        name: config
  containers:
```


For help to define an appropriate pod structure for the current release, [contact Ripple](/products/custody/v1.15/support/get-support).

1. Using `encrypt-cli`, generate the enclave contract token.
2. Run the Terraform script with the contract token created in step 2 as an input parameter.