Part of the ENC Ecosystem
The ENC Server is the hardened core of the ecosystem. It provides the secure execution environment, project storage, and SSH access control.
Pull and run the pre-built hardened server image instantly:
Option 1: Docker Hub
docker pull pranjalab/enc-server:latestOption 2: GitHub Container Registry (GHCR)
docker pull ghcr.io/pranjalab/enc-server:latestRun Command:
docker run -p 2222:22 --cap-add SYS_ADMIN --device /dev/fuse ghcr.io/pranjalab/enc-server:latestThe server creates a security boundary around your code:
- Encrypted Storage: Projects are stored as encrypted ciphertexts using
gocryptfs. Keys are never persisted in plaintext on the server disk. - SSH Bastion: Access is strictly controlled via an OpenSSH server running on a non-standard port (
2222). - Restricted Shell: Users are confined to a custom
enc-shell, preventing unauthorized traversal of the host OS. - Ephemeral Runtime: Code execution happens in a memory-safe buffer, wiped immediately after use.
- Docker & Docker Compose installed on the host machine.
- Port
2222free on the host (or configurable indocker-compose.yml).
Navigate to the enc-server directory and start the system. The script will automatically pull the latest hardened image.
cd enc-server
./deploy.sh
# Or manually: docker compose up -dCheck that the container is running:
docker ps
# You should see 'enc_server' listening on 0.0.0.0:2222The server uses a local policy file and SSH authorized keys to manage users.
The default admin user is configured during the build. To connect manually (for debugging):
ssh -p 2222 admin@localhostYou manage users through the ENC CLI (connected as an admin) or by manually editing the server state if you have root access to the container.
Using CLI (Recommended):
# Connect with your local CLI
enc login
# Create a new user
enc user create new_dev --role userManual / Emergency Access: Access the running container to manage users directly:
docker exec -it enc_ssh_server /bin/bash
# Inside the container, you can check logs or inspect storage
ls /homeAll user data is stored in the persistent volume mapped to /home.
/home/<user>/.enc/config.json: User-specific configuration and project list./home/<user>/.enc/vault/: Encrypted ciphertext folders for each project./home/<user>/.enc/run/: Active mount points (empty when not in session).
- No Root Access: Regular users cannot
sudoor access other users' directories. - Locked Down Network: The container should be firewalled to only allow inbound traffic on port
2222. - Policy Enforcement: The
policy.jsonfile (internal) defines global roles and permissions.
The ENC Server implements strict session management to ensure security.
- Inactivity Timeout: Sessions are automatically closed if no commands are executed for 10 minutes (600 seconds).
- Mount Activity Keep-Alive: Active file modifications in a mounted project will refresh the session timer, keeping it alive during coding sessions.
- Closure Conditions:
- Command Timeout: User is idle (no CLI commands) > 10 mins.
- Mount Timeout: User stops editing files in a mounted project > 10 mins.
- Explicit Logout: User runs
enc logout.
- The CLI (
enc-client) validates the session ID with the server before every critical command. - If the server reports the session as expired ("Please login first"), the CLI will prompt the user to re-authenticate.
Log Analysis If connections are failing, check the container logs:
docker logs -f enc_ssh_server"Permission Denied" (publickey)
- Ensure the user's public key is correctly added to
/home/<user>/.ssh/authorized_keys. - Check permissions:
.sshmust be700,authorized_keysmust be600, and owned by the user.
"Device not configured" (Zombie Mounts) If the server crashes while a project is mounted, you might see stale mount points.
- Restart the container:
docker restart enc_ssh_server - The ENC system now includes auto-cleanup on startup and logout to mitigate this.