diff --git a/.github/workflows/release-kms-derive-server-enclave.yml b/.github/workflows/release-kms-derive-server-enclave.yml
new file mode 100644
index 0000000..27db7cc
--- /dev/null
+++ b/.github/workflows/release-kms-derive-server-enclave.yml
@@ -0,0 +1,37 @@
+name: Release kms/derive-server-enclave
+on:
+  workflow_dispatch:
+   inputs:
+    version:
+     description: 'release version'
+     required: true
+jobs:
+  build:
+    if: github.actor == 'roshanrags'
+    name: Release
+    strategy:
+      matrix:
+        include:
+        - os: 'ubuntu-24.04'
+          runs-on: 'ubicloud-standard-8'
+          OOS: linux
+          ARCH: amd64
+        - os: 'ubuntu-24.04'
+          runs-on: 'ubicloud-standard-8-arm'
+          OOS: linux
+          ARCH: arm64
+    runs-on: ${{ matrix.runs-on }}
+    steps:
+    - name: Install Nix
+      uses: cachix/install-nix-action@v30
+    - name: Cachix
+      uses: cachix/cachix-action@v15
+      with:
+        name: oyster
+        authToken: ${{secrets.CACHIX_AUTH_TOKEN}}
+    - name: build
+      run: nix build -vL --accept-flake-config github:marlinprotocol/oyster-monorepo/kms-derive-server-enclave-${{github.event.inputs.version}}#musl.kms.derive-server-enclave.default
+    - name: upload
+      run: |
+        AWS_ACCESS_KEY_ID=${{secrets.AWS_ACCESS_KEY_ID}} AWS_SECRET_ACCESS_KEY=${{secrets.AWS_SECRET_ACCESS_KEY}} aws s3 cp --endpoint-url ${{secrets.AWS_S3_ENDPOINT}} ./result/image.eif s3://artifacts/oyster/eifs/kms-derive-server_${{github.event.inputs.version}}_${{matrix.OOS}}_${{matrix.ARCH}}.eif
+        AWS_ACCESS_KEY_ID=${{secrets.AWS_ACCESS_KEY_ID}} AWS_SECRET_ACCESS_KEY=${{secrets.AWS_SECRET_ACCESS_KEY}} aws s3 cp --endpoint-url ${{secrets.AWS_S3_ENDPOINT}} ./result/pcr.json s3://artifacts/oyster/eifs/kms-derive-server_${{github.event.inputs.version}}_${{matrix.OOS}}_${{matrix.ARCH}}.json