Inferensys

Glossary

Data-in-Use Protection

The security practice of encrypting data while it is actively being processed in memory, closing the final vulnerability gap left by protecting data at rest and in transit.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
CONFIDENTIAL COMPUTING

What is Data-in-Use Protection?

Data-in-use protection is the security practice of encrypting and isolating data while it is actively being processed in a system's main memory (RAM), closing the vulnerability gap left by protecting data at rest (storage) and in transit (network).

Data-in-use protection addresses the critical security vulnerability that occurs when sensitive information is decrypted for active computation. Traditional encryption safeguards data at rest on hard drives and in transit across networks, but leaves it exposed in plaintext within memory during processing. This exposure creates an attack surface exploitable by malicious insiders, compromised operating systems, or rogue hypervisors. Confidential Computing solves this by performing computation within a hardware-enforced Trusted Execution Environment (TEE), ensuring data remains encrypted even in RAM.

The core mechanism relies on a hardware root of trust embedded in the processor, which creates an isolated memory region called an enclave. Data is only decrypted inside this enclave and remains invisible to the host operating system, hypervisor, and other applications. Attestation cryptographically verifies the enclave's identity and integrity before secrets are provisioned, ensuring the environment is genuine. This protects sensitive workloads—such as financial analysis, medical diagnostics, and private inference for AI models—from unauthorized access during their most vulnerable state.

CONFIDENTIAL COMPUTING

Key Features of Data-in-Use Protection

Data-in-use protection closes the final security gap by encrypting data while it is actively processed in memory. These hardware-enforced mechanisms ensure confidentiality and integrity even against privileged attackers.

01

Hardware-Enforced Memory Encryption

The foundational mechanism that transparently encrypts data as it moves between the processor cache and main memory (RAM). Unlike software-based encryption, this is performed by a dedicated memory encryption engine integrated into the CPU's memory controller.

  • Total Memory Encryption (TME): Encrypts all data leaving the processor package with a single ephemeral key, protecting against cold-boot and DIMM-sniffing attacks.
  • Multi-Key Total Memory Encryption (MKTME): Extends TME to support multiple encryption keys, allowing different virtual machines or enclaves to be isolated with unique cryptographic keys.
  • Secure Encrypted Virtualization (SEV): AMD's implementation that encrypts VM memory with a key unique to each guest, preventing the hypervisor from accessing plaintext data.
< 1%
Typical Performance Overhead
02

Cryptographic Attestation

A protocol that allows a Trusted Execution Environment to prove its identity, integrity, and security posture to a remote relying party before any secrets are provisioned. Attestation establishes a hardware root of trust that anchors the entire security chain.

  • Local Attestation: Two enclaves on the same platform verify each other's identity and integrity before establishing a secure communication channel.
  • Remote Attestation: An enclave generates a cryptographically signed report (a quote) containing its measurement hash, which a remote verifier validates against a trusted reference.
  • DCAP (Data Center Attestation Primitives): Intel's infrastructure allowing enterprises to run their own attestation services without depending on Intel's cloud-hosted verification, enabling scalable privacy-preserving deployment.
Cryptographic
Trust Establishment
03

Enclave Isolation Boundaries

A hardware-enforced boundary that carves out a private region of memory—an enclave—inaccessible to any software outside it, including the operating system, hypervisor, and even other enclaves.

  • SGX Enclave Page Cache (EPC): A dedicated, encrypted memory region where enclave code and data reside. Access violations trigger hardware-level faults.
  • AMD SEV-SNP Reverse Map Table: A hardware structure that prevents the hypervisor from remapping guest memory pages, blocking malicious page-table manipulation attacks.
  • ARM CCA Realm: A dynamically created, hardware-backed address space that isolates sensitive workloads from the hypervisor, managed by a new security abstraction layer called the Realm Management Monitor (RMM).
04

Data Sealing and Persistence

A mechanism that cryptographically binds data to a specific enclave's identity, allowing sensitive information to be securely persisted to untrusted storage and retrieved only by the exact same enclave on the same platform.

  • Seal Key Derivation: The enclave derives a unique encryption key from its MRENCLAVE (code identity) or MRSIGNER (author identity) fused with a hardware-embedded root key.
  • Identity Binding: Sealing to MRENCLAVE ensures only the exact same code version can unseal; sealing to MRSIGNER allows updates from the same vendor to access persisted data.
  • Monotonic Counters: Hardware-backed counters prevent rollback attacks, ensuring an attacker cannot restore an old sealed data blob to bypass security patches.
05

Side-Channel Attack Mitigations

Defensive techniques that neutralize information leakage through physical side channels—timing variations, power consumption, or electromagnetic emissions—that could otherwise extract secrets from a theoretically secure enclave.

  • Constant-Time Programming: Algorithms designed to execute in identical cycles regardless of input values, eliminating timing-based oracle attacks on cryptographic operations.
  • Speculative Execution Barriers: Instructions like LFENCE that serialize execution and prevent speculative side-channel attacks (e.g., Spectre, Meltdown) from leaking enclave secrets.
  • Ciphertext Integrity Verification: AMD SEV-SNP's VM-Provided Memory Encryption adds an integrity tree that detects ciphertext tampering, preventing malicious hypervisors from launching replay or remapping attacks.
06

Confidential AI Workloads

The application of data-in-use protection to machine learning pipelines, ensuring that proprietary models, sensitive training data, and user inference inputs remain confidential during active computation.

  • Private Inference: A client's input data and the server's model weights remain mutually confidential during inference, with both decrypted only inside an attested enclave.
  • Model Protection: Encrypted model weights are decrypted exclusively within the TEE, preventing intellectual property theft by cloud operators or malicious insiders.
  • NVIDIA Confidential Computing: Extends TEE protections to GPU-accelerated workloads, enabling secure AI training and inference on protected data with hardware-enforced isolation between the CPU and GPU memory spaces.
DATA-IN-USE PROTECTION

Frequently Asked Questions

Clear, technical answers to the most common questions about protecting data during active processing within Trusted Execution Environments.

Data-in-use protection is the security practice of encrypting data while it is actively being processed in a system's main memory (RAM), closing the final vulnerability gap left by protecting data at rest (on disk) and data in transit (across a network). It works by leveraging hardware-enforced Trusted Execution Environments (TEEs) , also known as secure enclaves. A TEE creates an isolated, encrypted region within the processor where application code and its data are decrypted and processed, remaining invisible and inaccessible to the host operating system, hypervisor, and even the cloud provider. This is achieved through runtime encryption, where the memory pages belonging to the enclave are transparently encrypted and integrity-protected by a dedicated hardware memory controller, ensuring that sensitive computations like AI inference on proprietary models remain confidential.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.