Skip to content

Production Checklist

Moving from a simulated environment (Mock Mode) to a hardware-secured production environment requires attention to detail regarding trust anchors and image integrity.

🛡️ Security Hardening

1. Native TEE Hardware

Ensure you are using supported TEE-capable nodes: - [ ] GCP: N2DL (AMD SEV-SNP) or C3D. - [ ] Azure: DCsv3 or ECsv3 (Intel SGX). - [ ] AWS: Nitro-based instances with Enclaves enabled.

2. Notarized Images

In production, the Lucid Operator will refuse to pull sidecars that are not cryptographically notarized. - [ ] Run lucid auditor publish for every auditor image. - [ ] Verify the image digest matches the one registered in the Lucid Verifier.

3. Non-Root Execution

  • [ ] Ensure your Auditor Dockerfile uses a non-root user (UID > 1000).

☸️ Infrastructure Readiness

1. Mandatory Sidecars

  • [ ] Verify the Lucid Operator is running with high availability (replicaCount > 1).
  • [ ] Ensure all nodes are correctly labeled with lucid.io/role=tee-workload.

2. Networking

  • [ ] Check that your cluster can reach the Lucid SaaS endpoints:
    • https://verifier.lucid.sh
    • https://observer.lucid.sh

🧪 Operational Validation

1. AI Passport Verification

  • [ ] Deploy a test workload.
  • [ ] Verify that the returned AI Passport shows hardware_attested: true.
  • [ ] Ensure the signature chain reflects the hardware manufacturer's certificate (Intel/AMD).

2. Log Monitoring

  • [ ] Connect your production cluster to the Lucid Observer.
  • [ ] Verify that audit logs for blocked/redacted requests are appearing in real-time.

🆘 Support

For assistance with production deployments, please contact the Lucid Engineering team at support@lucid.sh.