Confidential Computing — Complete Guide: How to Protect Data In Use
Encryption protects data at rest and in transit — but what about while it's being processed? Confidential computing uses hardware-based Trusted Execution Environments (TEEs) to protect data even while it's being computed on, keeping it secret from cloud providers, hypervisors, and even the OS. This guide covers TEE technologies, attestation, and real-world use cases.
3 states
of data: at rest, in transit, in use
TEE
Trusted Execution Environment — the core technology
Intel SGX
most widely deployed TEE technology
Zero trust
even the cloud provider cannot see your data
The Problem: Data In Use Is Exposed
The gap in traditional encryption
Even with full-disk encryption and TLS in transit, when your application processes data, it is decrypted in memory. The OS kernel, hypervisor, cloud provider operations staff, and any other compromised process on the same physical machine can potentially access that plaintext memory. Confidential computing closes this gap with hardware-enforced memory isolation.
| Item | Traditional Cloud | Confidential Computing |
|---|---|---|
| Data at rest | Encrypted with AES-256 | Encrypted (same — no change) |
| Data in transit | Encrypted with TLS 1.3 | Encrypted (same — no change) |
| Data in use | Plaintext in memory — exposed to OS and hypervisor | Encrypted in TEE — CPU decrypts only inside the enclave boundary |
| Cloud provider trust | Must trust cloud provider staff and infrastructure | Zero-trust — provider cannot access data even with physical server access |
| Hypervisor access | Can read VM memory at any time | Hardware blocks hypervisor from reading enclave memory |
| Rogue admin attack | Root access → memory dump → plaintext data | Root access still cannot read encrypted enclave memory |
How TEEs Work
Secure enclave is created
The CPU creates an isolated memory region (the enclave) that is encrypted by the Memory Encryption Engine. This happens at hardware level — the CPU uses a key that is only known to itself, stored in protected fuses, never accessible to software.
Code and data loaded
The application code and sensitive data are loaded into the enclave. Everything inside is encrypted in DRAM. The CPU transparently decrypts when executing code and re-encrypts when writing back to memory — all in the CPU die, invisible to the rest of the system.
Attestation proves integrity
Before sending sensitive data to the enclave, you remotely verify: is the expected code running? Is it on genuine hardware? Is the hardware firmware up to date? This cryptographic proof prevents MitM attacks.
Secure channel established
After attestation succeeds, a TLS-like secure channel is established directly to the enclave, bypassing the untrusted OS. Sensitive data is sent only through this verified channel.
Computation in isolation
The enclave processes data with complete hardware isolation. Even DMA attacks are blocked. The hypervisor, kernel, other VMs, and cloud provider cannot observe memory contents during computation.
Results returned securely
Results are returned through the secure channel, re-encrypted before leaving the enclave. Keys and intermediate state are destroyed when the enclave closes — no data leaks to the untrusted environment.
TEE Technologies
| Item | Technology | Description |
|---|---|---|
| Intel SGX | Application-level TEE — process isolation | Fine-grained memory isolation, strong attestation. ~256MB EPC limit (expandable with SGX2). High overhead for large workloads. |
| AMD SEV-SNP | VM-level TEE — full VM isolation | Entire VM is confidential. Larger memory, lower overhead (~5-10%). Strong attestation. Available on Azure, GCP, AWS. |
| ARM TrustZone | Processor-level TEE — two worlds | Splits processor into Secure/Normal worlds. Used in smartphones, IoT, payment terminals. Qualcomm Secure Execution Environment built on TrustZone. |
| Intel TDX | VM-level TEE (Intel's SEV equivalent) | Confidential VMs on 4th gen+ Intel Xeon. Lower overhead than SGX. Emerging cloud support. |
| AWS Nitro Enclaves | Cloud-native enclave | Isolated EC2 enclaves with no persistent storage, no external networking. Attestation via AWS KMS. AWS-specific. |
| Google Confidential Space | Container-based confidential computing | Runs container workloads in AMD SEV-SNP. Integrates with Google Cloud Attestation and Workload Identity Federation. |
Attestation — Proving the Enclave is Trusted
Attestation is what makes TEEs genuinely trustworthy
# Simplified attestation flow using Intel SGX + DCAP
# Real implementation uses gramine, Open Enclave SDK, or Fortanix EDP
# 1. Request a quote from the enclave
from sgx import Enclave
enclave = Enclave("my_secure_app.signed.so")
quote = enclave.get_quote() # Signed by Intel SGX hardware
# 2. Verify the quote with Intel PCCS (Provisioning Certificate Caching Service)
import requests
response = requests.post(
"https://api.trustedservices.intel.com/sgx/dev/attestation/v4/report",
json={"isvEnclaveQuote": quote.base64()},
headers={"Ocp-Apim-Subscription-Key": INTEL_API_KEY}
)
attestation_report = response.json()
# 3. Verify the attestation report
assert attestation_report["isvEnclaveQuoteStatus"] == "OK"
assert attestation_report["platformInfoBlob"]["tcbStatus"] == "UP_TO_DATE"
# What you've now verified:
# - The enclave contains exactly the code you compiled (MRENCLAVE hash matches)
# - It's running on a genuine Intel SGX processor
# - The firmware has no known vulnerabilities (TCB is up to date)
# 4. Now safe to establish a TLS channel and send sensitive data
enclave.establish_secure_channel()
enclave.send_secret_data(sensitive_payload)Use Cases for Confidential Computing
Multi-Party Computation
Multiple organizations compute on combined datasets without revealing raw data to each other. Example: banks collaborating on fraud detection models using combined transaction data without exposing customer records to competitors.
AI Model Protection
Run AI inference on sensitive data (medical imaging, financial records) without exposing either the patient data or the proprietary model weights to the cloud provider. The TEE sees both — no one else does.
Regulated Data Processing
Process HIPAA-regulated medical records or GDPR-sensitive personal data in public cloud without violating data residency and access requirements. Attestation provides the audit trail for compliance.
Cryptocurrency Key Management
Store and sign transactions with private keys that never leave the TEE — even in memory. Coinbase, Anchorage, and institutional custodians use TEEs for this to prevent insider theft and server compromise.
Federated Learning Privacy
Train ML models across distributed data sources. Each participant's gradient updates are computed in a TEE — the aggregation server sees encrypted gradients, preventing reverse-engineering of training data.
Secure Database Queries
Query encrypted databases where the query planner runs inside a TEE. The planner decrypts only the data needed for the query result, then re-encrypts. Examples: CipherCore, Microsoft Always Encrypted with secure enclaves.
Cloud Provider Support
| Item | Cloud Provider | Confidential Computing Offering |
|---|---|---|
| Microsoft Azure | Most mature offering | Confidential VMs (AMD SEV-SNP, Intel TDX), Confidential Containers (AKS), Azure Attestation Service, SGX VMs (DCsv3 series) |
| Google Cloud | Strong AMD SEV integration | Confidential VMs (AMD SEV-SNP), Confidential GKE Nodes, Confidential Space (container workloads), Confidential Dataflow |
| AWS | Nitro-based architecture | AWS Nitro Enclaves (isolated EC2 partitions), Nitro System hardware security, AWS KMS integration for attestation |
| IBM Cloud | LinuxONE + SGX | Hyper Protect Services (LinuxONE), SGX-enabled bare metal, Hyper Protect DBaaS (confidential managed DB) |