A Confidential Service Mesh is a service-to-service networking layer where every proxy and workload runs within a Trusted Execution Environment (TEE). This architecture guarantees that all east-west traffic is encrypted and mutually authenticated via cryptographic identity, while the data in use—including request payloads and TLS session keys—is shielded from the underlying host operating system, hypervisor, and cloud provider.
Glossary
Confidential Service Mesh

What is Confidential Service Mesh?
A Confidential Service Mesh extends the standard service mesh architecture by executing sidecar proxies and application workloads inside hardware-based Trusted Execution Environments (TEEs), ensuring that all inter-service communication is encrypted and mutually authenticated while data remains protected during processing.
By integrating attestation into the service identity framework, a Confidential Service Mesh ensures that only verified, untampered workloads can join the mesh. Technologies like SPIRE provide attestation-based cryptographic identities, while hardware roots of trust such as Intel TDX or AMD SEV-SNP enforce memory encryption, creating a zero-trust communication fabric where no infrastructure layer can inspect or modify data in transit or during processing.
Key Features of a Confidential Service Mesh
A Confidential Service Mesh extends traditional service mesh architectures by executing workloads within hardware-based Trusted Execution Environments (TEEs), ensuring data-in-use encryption and cryptographic isolation for inter-service communication.
Enclave-Native Sidecar Proxies
Traditional service mesh sidecars run as privileged containers on the host OS, exposing them to kernel-level attacks. In a confidential mesh, the Envoy proxy or a lightweight equivalent executes inside the same TEE enclave as the application container. This co-location ensures that TLS termination, mTLS handshakes, and request decryption occur within the hardware-protected boundary. The sidecar's private keys are sealed to the enclave's identity, making them inaccessible to the host operating system, hypervisor, or cloud provider. This architecture eliminates the sidecar as an attack vector for intercepting plaintext service-to-service traffic.
Attestation-Gated mTLS
Mutual TLS in a confidential mesh is augmented with hardware attestation as a precondition for connection establishment. Before a TLS handshake completes, each sidecar presents a cryptographic attestation report—signed by the CPU manufacturer—that proves:
- The exact enclave code hash (measurement) running
- The TEE hardware's authenticity and firmware version
- The security configuration of the execution environment
A centralized attestation service or SPIRE agent validates these reports. If attestation fails, the connection is refused at the network layer, preventing untrusted or compromised workloads from joining the mesh.
Encrypted Service-to-Service Channels
All inter-service communication traverses TLS 1.3 tunnels with cipher suites that leverage hardware-accelerated encryption. The session keys for these tunnels are generated and stored exclusively within the enclave's encrypted memory pages. This provides defense-in-depth: even if an attacker compromises the host kernel and captures raw network packets, they observe only ciphertext. The mesh enforces strict east-west traffic encryption with automatic certificate rotation, where private keys never leave the TEE boundary. This is distinct from standard mesh encryption, where keys reside in host memory accessible to privileged users.
Policy Enforcement Inside the TEE
Authorization policies—such as which services can call a billing API or access a PII database—are evaluated inside the enclave rather than in a host-level sidecar. The policy engine runs as part of the attested workload, ensuring that:
- Policy decisions cannot be tampered with by the infrastructure operator
- Audit logs of access decisions are cryptographically signed by the enclave
- Fine-grained claims (OAuth scopes, SPIFFE IDs) are validated in a trusted context
This moves the policy decision point from the infrastructure layer to the application's trusted computing base, closing a gap where a compromised host could silently disable authorization checks.
Confidential Service Discovery
Service discovery in a confidential mesh must not leak the topology or existence of sensitive services to the underlying platform. The mesh uses encrypted DNS and gossip protocols that operate within the TEE boundary. Service endpoints are registered with attestation-bound identities, and the discovery cache is maintained in enclave memory. This prevents the cloud provider or a network observer from enumerating the microservices running in a confidential cluster. Integration with SPIRE ensures that only attested workloads can register or resolve service names, preventing spoofing attacks on the discovery mechanism.
Sealed Secret Management
TLS certificates, API tokens, and database credentials are delivered to the mesh sidecar only after successful attestation. A Confidential Key Management Service releases secrets directly into the enclave's memory over a secure channel. The secrets are then sealed to the enclave's identity for persistent caching, meaning they can only be decrypted by the exact same workload on the exact same CPU. This eliminates the risk of secrets being extracted from environment variables, Kubernetes secrets, or configuration files by a compromised host. Secret rotation occurs automatically without any plaintext exposure to the infrastructure layer.
Standard Service Mesh vs. Confidential Service Mesh
A technical comparison of traditional service mesh architectures against confidential service meshes that leverage Trusted Execution Environments to protect data in use across microservice communication.
| Feature | Standard Service Mesh | Confidential Service Mesh |
|---|---|---|
Data-in-Transit Encryption | mTLS between sidecar proxies | mTLS between sidecar proxies |
Data-in-Use Protection | Encrypted within TEE enclave memory | |
Host/Hypervisor Access to Workload Memory | Full visibility by host OS | Hardware-enforced isolation from host |
Attestation of Workload Identity | Cryptographic attestation of enclave measurement | |
Sidecar Proxy Trust Model | Proxy runs in host user space | Proxy executes inside TEE enclave |
Key Material Exposure to Infrastructure Provider | Keys accessible to cloud operator | Keys sealed to enclave identity |
Compliance with Zero-Trust Data-in-Use Requirements | ||
Representative Technologies | Istio, Linkerd, Consul Connect | Istio + Gramine/AMD SEV-SNP, Confidential Containers |
Frequently Asked Questions
Explore the core concepts behind securing inter-service communication within Trusted Execution Environments, ensuring data-in-use protection across distributed microservice architectures.
A Confidential Service Mesh is a service mesh architecture where inter-service communication is encrypted and mutually authenticated, with each microservice workload running inside a hardware-based Trusted Execution Environment (TEE) . It extends the traditional service mesh by ensuring that data is protected not only in transit via mTLS but also while in use within CPU memory. The mesh operates by injecting a sidecar proxy into each enclave, which enforces fine-grained access policies based on cryptographic attestation evidence rather than just network identity. This guarantees that a service can only communicate with another service if it can cryptographically prove it is running the correct code inside a genuine, untampered TEE, effectively eliminating the host operating system and cloud provider from the trust boundary.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
A Confidential Service Mesh integrates hardware-based Trusted Execution Environments with service mesh networking. The following concepts are essential for understanding the architecture, attestation, and cryptographic isolation required to protect data in use across distributed microservices.
Side-Channel Resistance
Defensive techniques that prevent attackers from extracting secrets by observing physical side effects of computation within a Confidential Service Mesh. Even though memory is encrypted, subtle leaks through timing, power consumption, or cache access patterns can reveal sensitive data.
- Constant-time cryptographic algorithms eliminate timing variations
- Cache partitioning prevents cross-enclave interference
- Hardware mitigations in Intel TDX and AMD SEV-SNP address speculative execution attacks
Enclave-Aware Key Management Service
A Confidential KMS releases decryption keys only to workloads that have successfully attested their identity and integrity. The KMS validates the enclave measurement against a policy before unwrapping a key. This ensures secrets are only accessible inside verified Trusted Execution Environments.
- Binds keys to specific enclave identities
- Prevents the host or hypervisor from accessing plaintext secrets
- Essential for securing TLS private keys and data encryption keys in the mesh
Enclave-Aware Scheduler
A Kubernetes scheduler extension that understands the hardware requirements and security constraints of Trusted Execution Environments. It places enclave workloads only on nodes with compatible TEE capabilities, such as Intel SGX or AMD SEV-SNP, and respects node-level attestation status.
- Prevents scheduling confidential pods on non-TEE nodes
- Integrates with device plugins for TEE resource advertising
- Ensures the mesh control plane only routes to verified enclaved endpoints

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us