Inferensys

Glossary

Confidential Persistent Storage

A storage system where data is encrypted by a Trusted Execution Environment before being written to disk, ensuring that data at rest is bound to the enclave's identity and cannot be decrypted by the host.
Developer building agentic RAG system, retrieval pipeline diagram on laptop, technical workspace with notes.
SECURE DATA AT REST

What is Confidential Persistent Storage?

A storage architecture where data is encrypted by a Trusted Execution Environment (TEE) before being written to disk, cryptographically binding the data to the enclave's identity so it cannot be decrypted by the host operating system, hypervisor, or infrastructure provider.

Confidential Persistent Storage is a data storage mechanism where encryption and decryption operations occur exclusively within a hardware-based Trusted Execution Environment (TEE). Unlike standard disk encryption, which relies on keys managed by the host OS, this approach uses enclave sealing to bind ciphertext to a specific enclave's cryptographic identity. The data can only be decrypted by the exact same application running on the exact same platform, rendering it opaque to the underlying infrastructure.

This architecture is critical for sovereign AI infrastructure, ensuring that sensitive model weights, training data, and inference results remain protected throughout their lifecycle. By combining data-in-use encryption with persistent storage, organizations eliminate the storage administrator as a threat vector. The sealed data is integrity-protected against rollback and tampering, guaranteeing that only an attested, untampered enclave can access the stored secrets.

ENCLAVE-BOUND DATA AT REST

Key Features of Confidential Persistent Storage

Confidential persistent storage extends the Trusted Execution Environment's security boundary to data at rest, ensuring that encrypted data is cryptographically bound to a specific enclave's identity and cannot be decrypted by the host operating system, hypervisor, or cloud provider.

01

Enclave Sealing

The core mechanism that enables confidential persistent storage. An enclave derives a sealing key from its unique identity and the CPU's fused hardware keys. Data encrypted with this key can only be decrypted by the exact same enclave on the exact same platform.

  • Seal to Enclave Identity (MRENCLAVE): Binds data to a specific enclave code version. Updating the enclave invalidates access.
  • Seal to Signing Identity (MRSIGNER): Binds data to the enclave author's key, allowing versioned enclaves from the same vendor to decrypt.
  • Seal to Platform: Binds data to the hardware TCB, enabling migration across enclaves on the same machine.
AES-256-GCM
Standard Cipher for Sealing
02

Attestation-Backed Access

Before any sealed data is unsealed, the enclave must produce a cryptographically signed attestation report proving its identity and integrity to a key management service or local policy engine.

  • The attestation verifies the enclave's measurement, signer identity, and security version numbers.
  • A Confidential KMS releases decryption keys only after successful attestation, ensuring secrets are never exposed to untrusted environments.
  • This prevents a compromised host from impersonating a legitimate enclave to access stored data.
Hardware Root
Attestation Trust Anchor
03

Integrity and Anti-Rollback Protection

Confidential persistent storage guarantees not only confidentiality but also data integrity and freshness. An attacker with physical disk access cannot replay old sealed data or tamper with ciphertext without detection.

  • Monotonic Counters: Hardware-backed counters that increment on each write, preventing rollback to previous states.
  • MAC over Ciphertext: A Message Authentication Code is embedded with the sealed blob, ensuring any modification is detected during unsealing.
  • Version Binding: Sealed data includes the enclave's security version number (ISVSVN), preventing data sealed by a vulnerable enclave version from being read by a patched one.
05

Provisioning and Migration

For production deployments, sealed data must survive hardware failures and scale across instances. Confidential persistent storage supports secure provisioning and migration workflows.

  • Secure Provisioning: An enclave can securely transfer sealed data to a second enclave on a different machine using attested TLS channels and platform-to-platform key exchange.
  • Live Migration of CVMs: Confidential VMs can be migrated between physical hosts while preserving memory encryption and sealed storage state.
  • Backup and Restore: Sealed blobs can be backed up to external storage, but can only be decrypted by the original enclave identity or an authorized delegate.
06

Threat Model: Host as Adversary

The defining characteristic of confidential persistent storage is that the host operating system, hypervisor, and cloud provider are in the threat model. The system is designed to protect against:

  • Malicious root users reading raw disk blocks.
  • Compromised hypervisors attempting to extract encryption keys from VM memory.
  • Physical attackers with access to decommissioned drives.
  • Insider threats at the cloud provider with administrative access to storage infrastructure.

Only the enclave itself—verified by attestation—holds the ability to decrypt the data.

CONFIDENTIAL PERSISTENT STORAGE

Frequently Asked Questions

Essential questions about encrypting data at rest using Trusted Execution Environments, ensuring storage is cryptographically bound to enclave identity and invisible to the host.

Confidential Persistent Storage is a storage system where data is encrypted by a Trusted Execution Environment (TEE) before being written to disk, ensuring that data at rest is cryptographically bound to the enclave's identity and cannot be decrypted by the host operating system, hypervisor, or cloud provider. The mechanism relies on enclave sealing, where the TEE derives a unique encryption key from its own enclave measurement (a cryptographic hash of its code and configuration) and a hardware-embedded secret. When data is written, the enclave encrypts it with this sealing key before passing the ciphertext to the untrusted host for storage. Upon retrieval, the same enclave—verified through attestation—unseals the data. This guarantees that even if an attacker gains physical access to the disk or compromises the host OS, the stored data remains cryptographically opaque and tamper-evident.

ENCRYPTION COMPARISON

Confidential Persistent Storage vs. Other Encryption Methods

Comparing the security properties and operational characteristics of Confidential Persistent Storage against standard disk encryption and application-level encryption for sovereign AI workloads.

FeatureConfidential Persistent StorageFull Disk Encryption (FDE)Application-Level Encryption

Encryption Boundary

Enclave memory before write

Block device / volume

Application process

Protection from Host OS

Protection from Hypervisor

Data-in-Use Protection

Key Binding Mechanism

Enclave identity (MRENCLAVE/MRSIGNER)

TPM or passphrase

Software keystore

Attestation Required for Decryption

Granularity

Per-enclave, per-secret

Entire disk or volume

Per-field or per-record

Performance Overhead

2-8%

< 1%

5-15%

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.