diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index dcecbaf3..5ba08185 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -106,9 +106,39 @@ jobs:
         run: make release
         if: startsWith(github.ref, 'refs/tags/v')
 
-  integration-tests:
+  deploy-ec2:
     if: "!startsWith(github.ref, 'refs/tags/v')"
     needs: publish
+    runs-on: ec2
+    steps:
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        if: "!startsWith(github.ref, 'refs/tags/v')"
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: remove slash from image tag
+        uses: mad9000/actions-find-and-replace-string@5
+        id: replaceslash
+        with:
+          source: ${{ github.head_ref || github.ref_name }}
+          find: '/'
+          replace: '-'
+        if: "!startsWith(github.ref, 'refs/tags/v')"
+      - name: pull and start the Signatory image under test
+        env:
+          IMAGE: ghcr.io/ecadlabs/signatory:${{ steps.replaceslash.outputs.value }}-amd64
+        run: >
+         docker pull $IMAGE;
+         docker stop signatory;
+         docker rm signatory;
+         docker run -d --name signatory --privileged --mount type=bind,src=/etc/signatory,dst=/etc/signatory --mount type=bind,src=/var/lib/signatory,dst=/var/lib/signatory -p 6732:6732 -p 9583:9583 --entrypoint "/bin/signatory" $IMAGE -c /etc/signatory/config.yml serve
+        if: "!startsWith(github.ref, 'refs/tags/v')"
+
+  integration-tests:
+    if: "!startsWith(github.ref, 'refs/tags/v')"
+    needs: deploy-ec2
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -133,6 +163,12 @@ jobs:
           find: '/'
           replace: '-'
         if: "!startsWith(github.ref, 'refs/tags/v')"
+      - if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref, 'refs/tags/v')}}
+        name: Tailscale
+        uses: tailscale/github-action@v1
+        with:
+          authkey: ${{ secrets.TAILSCALE_AUTHKEY }}
+          version: 1.32.2        
       - name: Run tests
         env:
           IMAGE: ghcr.io/ecadlabs/signatory:${{ steps.replaceslash.outputs.value }}-amd64
diff --git a/integration_test/tests/vaults/vault_nitroenclave_test.go b/integration_test/tests/vaults/vault_nitroenclave_test.go
new file mode 100644
index 00000000..c78ca69f
--- /dev/null
+++ b/integration_test/tests/vaults/vault_nitroenclave_test.go
@@ -0,0 +1,15 @@
+package vaults_test
+
+import (
+	"testing"
+
+	integrationtest "github.com/ecadlabs/signatory/integration_test/tests"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNitroEnclaveVault(t *testing.T) {
+	out, err := integrationtest.OctezClient("-w", "1", "transfer", "1", "from", "nitro", "to", "alice", "--burn-cap", "0.06425")
+	require.NoError(t, err)
+	require.Contains(t, string(out), "Operation successfully injected in the node")
+}
diff --git a/integration_test/tezos_scripts/init.sh b/integration_test/tezos_scripts/init.sh
index 744ee77c..d3f967aa 100644
--- a/integration_test/tezos_scripts/init.sh
+++ b/integration_test/tezos_scripts/init.sh
@@ -19,6 +19,8 @@ script_dir="/home/tezos/tezos_scripts"
 default_endpoint="http://tezos-node:18731"
 manual_baking_endpoint="http://tezos-node-manual-bake:18731"
 manual_baking_client_config="/home/tezos/manual-bake-client"
+default_signatory="http://signatory:6732"
+ec2_signatory="http://10.0.3.122:6732"
 
 client="octez-client"
 $client -E $default_endpoint config update
@@ -58,7 +60,7 @@ $client import secret key bootstrap4 $BOOTSTRAP4_SECRET || exit 1
 $client import secret key bootstrap5 $BOOTSTRAP5_SECRET || exit 1
 $client import secret key activator $ACTIVATOR_SECRET || exit 1
 #baker1 is used on the manual bake chain for operation kinds test of baking operations. it is an alias for the bootstrap1 account on the manual bake chain
-$client -d $manual_baking_client_config import secret key baker1 http://signatory:6732/tz1KqTpEZ7Yob7QbPE4Hy4Wo8fHG8LhKxZSx || exit 1
+$client -d $manual_baking_client_config import secret key baker1 $default_signatory/tz1KqTpEZ7Yob7QbPE4Hy4Wo8fHG8LhKxZSx || exit 1
 
 protocol_hash=$(grep "^$protocol_name" $script_dir/protocol_hash)
 protocol_full_name=$(cat $tezos_script_dir/active_protocol_versions | grep -E '^[0-9]{3}-[A-Za-z]+$' | grep "$protocol_name$")
@@ -80,50 +82,54 @@ $client -E $manual_baking_endpoint -block genesis activate protocol $protocol_ha
 # These keys are used in the integration tests and should be imported after the protocol activation.
 
 # alice
-$client import secret key alice http://signatory:6732/tz1VSUr8wwNhLAzempoch5d6hLRiTh8Cjcjb
+$client import secret key alice $default_signatory/tz1VSUr8wwNhLAzempoch5d6hLRiTh8Cjcjb
 $client --wait none transfer 100000 from bootstrap2 to alice --burn-cap 0.07
 $client bake for --minimal-timestamp
 
 # bob
-$client import secret key bob http://signatory:6732/tz1aSkwEot3L2kmUvcoxzjMomb9mvBNuzFK6
+$client import secret key bob $default_signatory/tz1aSkwEot3L2kmUvcoxzjMomb9mvBNuzFK6
 $client --wait none transfer 100000 from bootstrap2 to bob --burn-cap 0.07
 $client bake for --minimal-timestamp
 
 # opstest
-$client import secret key opstest http://signatory:6732/tz1RKGhRF4TZNCXEfwyqZshGsVfrZeVU446B
+$client import secret key opstest $default_signatory/tz1RKGhRF4TZNCXEfwyqZshGsVfrZeVU446B
 $client --wait none transfer 100000 from bootstrap2 to opstest --burn-cap 0.07
 $client bake for --minimal-timestamp
 
 # opstest1
-$client import secret key opstest1 http://signatory:6732/tz1R8HJMzVdZ9RqLCknxeq9w5rSbiqJ41szi
+$client import secret key opstest1 $default_signatory/tz1R8HJMzVdZ9RqLCknxeq9w5rSbiqJ41szi
 $client --wait none transfer 100000 from bootstrap2 to opstest1 --burn-cap 0.07
 $client bake for --minimal-timestamp
 
 # tz1alias
-$client import secret key tz1alias http://signatory:6732/tz1dSrM2D7XcWPhdZpDxzNkmVLvdWSxApXaR
+$client import secret key tz1alias $default_signatory/tz1dSrM2D7XcWPhdZpDxzNkmVLvdWSxApXaR
 $client --wait none transfer 100000 from bootstrap2 to tz1alias --burn-cap 0.07
 $client bake for --minimal-timestamp
 
 # tz2alias
-$client import secret key tz2alias http://signatory:6732/tz2QPsZoZse4eeahhg5DdfnBDB4VbU1PwgxN
+$client import secret key tz2alias $default_signatory/tz2QPsZoZse4eeahhg5DdfnBDB4VbU1PwgxN
 $client --wait none transfer 100000 from bootstrap2 to tz2alias --burn-cap 0.07
 $client bake for --minimal-timestamp
 
 # tz3alias
-$client import secret key tz3alias http://signatory:6732/tz3ZbCsUveF3Q6WUNkThT1wyJyhPunanaAXK
+$client import secret key tz3alias $default_signatory/tz3ZbCsUveF3Q6WUNkThT1wyJyhPunanaAXK
 $client --wait none transfer 100000 from bootstrap2 to tz3alias --burn-cap 0.07
 $client bake for --minimal-timestamp
 
 # tz4alias
-$client import secret key tz4alias http://signatory:6732/tz4XXtsYav3fZz2FSDa7hcx4F8sh8SaDWNME
+$client import secret key tz4alias $default_signatory/tz4XXtsYav3fZz2FSDa7hcx4F8sh8SaDWNME
 $client --wait none transfer 100000 from bootstrap2 to tz4alias --burn-cap 0.07
 $client bake for --minimal-timestamp
 
 # speculos
-$client import secret key speculos http://signatory:6732/tz1RVYaHiobUKXMfJ47F7Rjxx5tu3LC35WSA
+$client import secret key speculos $default_signatory/tz1RVYaHiobUKXMfJ47F7Rjxx5tu3LC35WSA
 $client --wait none transfer 100000 from bootstrap2 to speculos --burn-cap 0.07
 $client bake for --minimal-timestamp
 
+$client import secret key nitro $ec2_signatory/tz2Gx28QytbwB9xZYUbc14HrVTJkwwYy4WAk
+$client --wait none transfer 100000 from bootstrap2 to nitro --burn-cap 0.07
+$client bake for --minimal-timestamp
+
 echo "All keys imported successfully!"
 
 octez-baker run remotely --without-dal --liquidity-baking-toggle-vote pass