Inferensys

Glossary

Confidential Computing

A hardware-based security paradigm that protects data in use by performing computation within a hardware-based Trusted Execution Environment (TEE), isolating sensitive data and code from the host operating system, hypervisor, and cloud provider infrastructure.
Isolated secure server room with network cables physically disconnected, minimal lighting, security-focused environment.
HARDWARE-BASED DATA PROTECTION

What is Confidential Computing?

Confidential Computing is a hardware-based security paradigm that protects data in use by performing computation within a hardware-based Trusted Execution Environment (TEE), isolating sensitive workloads from the host operating system, hypervisor, and cloud infrastructure providers.

Confidential Computing protects data in use—the third and historically most vulnerable state of the data lifecycle—by encrypting it within a CPU-enforced Trusted Execution Environment (TEE). Unlike encryption for data at rest or in transit, this hardware-isolated enclave prevents even a compromised operating system, hypervisor, or cloud administrator from accessing the code or data being processed, ensuring runtime confidentiality and integrity.

The TEE provides cryptographic attestation, a mechanism that verifies to a remote party that the correct, untampered code is running inside the enclave before any secrets are released. This enables multi-party data collaboration scenarios—such as federated analytics across competing organizations—where sensitive datasets can be jointly processed without any party exposing raw data to another, satisfying strict data sovereignty and regulatory requirements.

HARDWARE-BASED DATA PROTECTION

Core Properties of Confidential Computing

Confidential Computing protects data in use—during active computation—by isolating it within a hardware-based Trusted Execution Environment (TEE). This prevents unauthorized access even from the host operating system, hypervisor, or cloud provider administrators.

01

Hardware-Grade Memory Isolation

The CPU creates a private, encrypted enclave within main memory that is inaccessible to all other software, including the OS kernel and hypervisor.

  • Enclave Page Cache (EPC): A dedicated, encrypted memory region reserved exclusively for TEE operations
  • Hardware-enforced boundaries: Any attempt by non-enclave code to read enclave memory triggers a processor-level access violation
  • Example: Intel SGX allocates up to 512MB of private memory per enclave, while AMD SEV encrypts entire virtual machines with per-VM keys
02

Runtime Data Encryption

Unlike traditional encryption that protects data at rest (storage) and in transit (network), Confidential Computing encrypts data in use within the CPU itself.

  • Transparent encryption engine: A dedicated on-die memory controller automatically encrypts and decrypts data as it moves between cache and RAM
  • Per-enclave encryption keys: Each TEE instance gets unique keys, preventing cross-enclave data leakage
  • Example: AMD SEV-ES encrypts all CPU register state when a VM stops, preventing the hypervisor from inspecting guest register values
03

Remote Attestation

A cryptographic mechanism that allows a remote party to verify that the correct, untampered code is running inside a genuine TEE before sending secrets.

  • Hardware-signed measurement: The CPU generates a cryptographic hash of the enclave's initial code and data, signed by a key fused into the processor at manufacture
  • Attestation report: Contains the enclave's identity, code measurement, and TCB version, verifiable against the hardware vendor's public key infrastructure
  • Example: Intel's Enhanced Privacy ID (EPID) allows anonymous attestation without revealing the specific processor's identity
04

Minimal Trusted Computing Base (TCB)

Confidential Computing radically reduces the attack surface by excluding the operating system, hypervisor, and cloud provider from the trust boundary.

  • TCB components: Only the application code, the TEE firmware, and the processor itself must be trusted
  • Excluded from TCB: Host OS, device drivers, orchestration layers, and cloud administrator tools
  • Security implication: Even a fully compromised host OS cannot read enclave memory or tamper with computation
  • Example: AWS Nitro Enclaves have no persistent storage, no interactive access, and no external networking—only a vsock for secure local communication
05

Data-in-Use Integrity Protection

Beyond confidentiality, TEEs provide cryptographic integrity guarantees that prevent silent data corruption or tampering during computation.

  • Memory integrity tree: A Merkle tree structure verifies that data read from encrypted memory has not been modified, replayed, or reordered by a physical attacker
  • Replay protection: Hardware counters prevent an attacker from substituting current data with a previously valid encrypted memory state
  • Example: Intel SGX2 and TDX implement integrity protection that detects bus-level snooping and cold-boot attacks on memory contents
06

Code Confidentiality

TEEs protect not only the data being processed but also the proprietary algorithms and models operating on that data.

  • Encrypted code loading: Application binaries are decrypted only inside the enclave, preventing reverse engineering by the host
  • IP protection for ML models: Neural network weights and architecture remain opaque to infrastructure operators
  • Example: Financial institutions use Confidential Computing to run proprietary trading algorithms on sensitive client data without exposing either the model or the data to the cloud provider
DATA PROTECTION COMPARISON

Confidential Computing vs. Other Encryption States

How hardware-based TEEs compare to other encryption methods across the three states of data: at rest, in transit, and in use.

FeatureConfidential ComputingEncryption at RestEncryption in Transit

Data state protected

Data in use (memory/CPU)

Data at rest (storage)

Data in transit (network)

Protection mechanism

Hardware-based TEE (e.g., Intel SGX, AMD SEV)

Disk/volume encryption (e.g., AES-256)

Transport layer encryption (e.g., TLS 1.3)

Protects against host OS compromise

Protects against hypervisor compromise

Protects against cloud provider access

Protects against physical disk theft

Protects against network interception

Hardware root of trust required

CONFIDENTIAL COMPUTING CLARIFIED

Frequently Asked Questions

Clear, technically precise answers to the most common questions about hardware-based Trusted Execution Environments and their role in protecting data in use.

Confidential computing is a hardware-based security paradigm that protects data in use by performing computation within a hardware-based Trusted Execution Environment (TEE). Unlike traditional encryption that protects data at rest (storage) and in transit (network), confidential computing isolates sensitive workloads from the host operating system, hypervisor, and even cloud providers. The TEE—implemented via technologies like Intel SGX, AMD SEV-SNP, or Arm CCA—creates a secure enclave in the CPU where code and data are decrypted only inside the processor. This hardware-enforced isolation ensures that even a compromised kernel or a malicious insider with physical access cannot exfiltrate plaintext data. The process involves:

  • Attestation: A cryptographic mechanism where the TEE generates a signed report proving its identity and that the correct code is loaded, verifiable by a remote party before any secrets are released.
  • Memory encryption: The CPU automatically encrypts enclave memory pages, preventing DRAM snooping or cold-boot attacks.
  • Sealing: Data can be encrypted to a specific enclave's identity, ensuring it can only be decrypted by that exact code on that exact CPU.
Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.