Confidential Persistent Storage is a data storage mechanism where encryption and decryption operations occur exclusively within a hardware-based Trusted Execution Environment (TEE). Unlike standard disk encryption, which relies on keys managed by the host OS, this approach uses enclave sealing to bind ciphertext to a specific enclave's cryptographic identity. The data can only be decrypted by the exact same application running on the exact same platform, rendering it opaque to the underlying infrastructure.
Glossary
Confidential Persistent Storage

What is Confidential Persistent Storage?
A storage architecture where data is encrypted by a Trusted Execution Environment (TEE) before being written to disk, cryptographically binding the data to the enclave's identity so it cannot be decrypted by the host operating system, hypervisor, or infrastructure provider.
This architecture is critical for sovereign AI infrastructure, ensuring that sensitive model weights, training data, and inference results remain protected throughout their lifecycle. By combining data-in-use encryption with persistent storage, organizations eliminate the storage administrator as a threat vector. The sealed data is integrity-protected against rollback and tampering, guaranteeing that only an attested, untampered enclave can access the stored secrets.
Key Features of Confidential Persistent Storage
Confidential persistent storage extends the Trusted Execution Environment's security boundary to data at rest, ensuring that encrypted data is cryptographically bound to a specific enclave's identity and cannot be decrypted by the host operating system, hypervisor, or cloud provider.
Enclave Sealing
The core mechanism that enables confidential persistent storage. An enclave derives a sealing key from its unique identity and the CPU's fused hardware keys. Data encrypted with this key can only be decrypted by the exact same enclave on the exact same platform.
- Seal to Enclave Identity (MRENCLAVE): Binds data to a specific enclave code version. Updating the enclave invalidates access.
- Seal to Signing Identity (MRSIGNER): Binds data to the enclave author's key, allowing versioned enclaves from the same vendor to decrypt.
- Seal to Platform: Binds data to the hardware TCB, enabling migration across enclaves on the same machine.
Attestation-Backed Access
Before any sealed data is unsealed, the enclave must produce a cryptographically signed attestation report proving its identity and integrity to a key management service or local policy engine.
- The attestation verifies the enclave's measurement, signer identity, and security version numbers.
- A Confidential KMS releases decryption keys only after successful attestation, ensuring secrets are never exposed to untrusted environments.
- This prevents a compromised host from impersonating a legitimate enclave to access stored data.
Integrity and Anti-Rollback Protection
Confidential persistent storage guarantees not only confidentiality but also data integrity and freshness. An attacker with physical disk access cannot replay old sealed data or tamper with ciphertext without detection.
- Monotonic Counters: Hardware-backed counters that increment on each write, preventing rollback to previous states.
- MAC over Ciphertext: A Message Authentication Code is embedded with the sealed blob, ensuring any modification is detected during unsealing.
- Version Binding: Sealed data includes the enclave's security version number (ISVSVN), preventing data sealed by a vulnerable enclave version from being read by a patched one.
Provisioning and Migration
For production deployments, sealed data must survive hardware failures and scale across instances. Confidential persistent storage supports secure provisioning and migration workflows.
- Secure Provisioning: An enclave can securely transfer sealed data to a second enclave on a different machine using attested TLS channels and platform-to-platform key exchange.
- Live Migration of CVMs: Confidential VMs can be migrated between physical hosts while preserving memory encryption and sealed storage state.
- Backup and Restore: Sealed blobs can be backed up to external storage, but can only be decrypted by the original enclave identity or an authorized delegate.
Threat Model: Host as Adversary
The defining characteristic of confidential persistent storage is that the host operating system, hypervisor, and cloud provider are in the threat model. The system is designed to protect against:
- Malicious root users reading raw disk blocks.
- Compromised hypervisors attempting to extract encryption keys from VM memory.
- Physical attackers with access to decommissioned drives.
- Insider threats at the cloud provider with administrative access to storage infrastructure.
Only the enclave itself—verified by attestation—holds the ability to decrypt the data.
Frequently Asked Questions
Essential questions about encrypting data at rest using Trusted Execution Environments, ensuring storage is cryptographically bound to enclave identity and invisible to the host.
Confidential Persistent Storage is a storage system where data is encrypted by a Trusted Execution Environment (TEE) before being written to disk, ensuring that data at rest is cryptographically bound to the enclave's identity and cannot be decrypted by the host operating system, hypervisor, or cloud provider. The mechanism relies on enclave sealing, where the TEE derives a unique encryption key from its own enclave measurement (a cryptographic hash of its code and configuration) and a hardware-embedded secret. When data is written, the enclave encrypts it with this sealing key before passing the ciphertext to the untrusted host for storage. Upon retrieval, the same enclave—verified through attestation—unseals the data. This guarantees that even if an attacker gains physical access to the disk or compromises the host OS, the stored data remains cryptographically opaque and tamper-evident.
Confidential Persistent Storage vs. Other Encryption Methods
Comparing the security properties and operational characteristics of Confidential Persistent Storage against standard disk encryption and application-level encryption for sovereign AI workloads.
| Feature | Confidential Persistent Storage | Full Disk Encryption (FDE) | Application-Level Encryption |
|---|---|---|---|
Encryption Boundary | Enclave memory before write | Block device / volume | Application process |
Protection from Host OS | |||
Protection from Hypervisor | |||
Data-in-Use Protection | |||
Key Binding Mechanism | Enclave identity (MRENCLAVE/MRSIGNER) | TPM or passphrase | Software keystore |
Attestation Required for Decryption | |||
Granularity | Per-enclave, per-secret | Entire disk or volume | Per-field or per-record |
Performance Overhead | 2-8% | < 1% | 5-15% |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Confidential persistent storage depends on a chain of cryptographic primitives and hardware guarantees. The following concepts form the technical foundation for binding encrypted data to a specific enclave identity.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us