Gramine (formerly Graphene) is an open-source library operating system that enables unmodified, off-the-shelf Linux applications to run inside Intel SGX enclaves without recompilation. It translates standard POSIX system calls into platform-specific logic, allowing complex workloads like Python, R, and Apache to execute securely within a hardware-protected memory region, isolated from the host operating system.
Glossary
Gramine

What is Gramine?
Gramine is a lightweight library OS that bridges the gap between unmodified Linux applications and the constrained execution environment of Intel SGX enclaves.
By providing a minimal Trusted Computing Base (TCB) with a manifest-based configuration, Gramine minimizes the attack surface while maximizing compatibility. It handles enclave dynamic memory management, multi-process threading, and encrypted I/O, making it a critical tool for deploying confidential AI inference and secure data processing pipelines without modifying existing application code.
Key Features of Gramine
Gramine bridges the gap between unmodified Linux applications and the constrained Intel SGX enclave environment, providing a lightweight library OS that translates standard POSIX APIs into enclave-compatible system calls.
Unmodified Application Support
Gramine enables legacy and complex applications to run inside SGX enclaves without source code modifications. It intercepts standard POSIX system calls and translates them into enclave-safe operations.
- Run Python, Java, and C/C++ applications as-is
- Supports multi-process applications via inter-process communication
- Handles dynamic loading of shared libraries inside the enclave
- Compatible with glibc and musl C libraries
Manifest-Based Configuration
Gramine uses a declarative manifest file to define the enclave's security properties, resource limits, and trusted files. This manifest acts as the enclave's constitution, specifying exactly what the application can access.
- Defines trusted vs. untrusted filesystem paths
- Controls environment variables and command-line arguments
- Sets enclave memory limits and thread counts
- Specifies SGX security flags like debug mode and EPC size
- The manifest is included in the enclave measurement for attestation
Shielded Execution Model
Gramine implements a split architecture where the application runs inside the enclave while a small untrusted shim handles interactions with the host OS. This minimizes the Trusted Computing Base (TCB).
- Application code and data remain encrypted in memory
- Host OS, hypervisor, and root user cannot inspect enclave memory
- System calls are marshalled across the enclave boundary securely
- Protects against privileged software attacks from the host
Encrypted I/O and Sealing
Gramine provides transparent encryption for all data that leaves the enclave boundary, ensuring that files written to disk and network communications remain protected.
- Enclave sealing binds encrypted data to the enclave's cryptographic identity
- Supports sealing to the enclave identity or the platform's sealing authority
- Protected files feature encrypts files transparently on read/write
- Enables secure persistent storage without trusting the host filesystem
Remote Attestation Integration
Gramine integrates with Intel's Enhanced Privacy ID (EPID) and Data Center Attestation Primitives (DCAP) to enable remote parties to cryptographically verify the enclave's identity and integrity before exchanging secrets.
- Generates cryptographic quotes signed by the SGX hardware
- Supports RA-TLS for embedding attestation evidence in TLS certificates
- Enables secret provisioning workflows where keys are released only to verified enclaves
- Compatible with Microsoft Azure Attestation and Intel SGX Attestation Service
Language and Framework Compatibility
Gramine supports a wide range of language runtimes and frameworks out of the box, making it suitable for modern AI and cloud-native workloads without rewriting application logic.
- Python with NumPy, PyTorch, and TensorFlow for confidential ML inference
- Java and JVM-based applications
- Node.js and JavaScript runtimes
- Go and Rust compiled binaries
- Redis and Memcached for encrypted in-memory caching
- Nginx and Apache for confidential web serving
Frequently Asked Questions
Clear, technically precise answers to the most common questions about running unmodified applications inside Intel SGX enclaves using the Gramine Library OS.
Gramine (formerly Graphene) is a lightweight library OS that enables unmodified Linux applications to execute inside Intel SGX enclaves without requiring manual code adaptation. It works by intercepting standard POSIX API calls from the application and translating them into a secure, enclave-compatible execution flow. Gramine provides a libOS that runs entirely in user space, implementing a minimal set of system call handlers, memory management, and file system abstractions inside the enclave. When an application issues a read() or write() call, Gramine's shim layer marshals the request, exits the enclave through a controlled OCALL interface, executes the necessary host-level operation, and securely re-enters the enclave with the result. This architecture bridges the gap between the constrained SGX programming model—which normally requires applications to be partitioned into trusted and untrusted components—and standard, unmodified binaries. Gramine supports multi-process applications, fork(), and signal handling, making it one of the most complete solutions for lifting legacy workloads into confidential computing environments without a rewrite.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts and complementary technologies that form the foundation of Gramine's library OS approach to confidential computing.
Attestation
The cryptographic handshake that proves an enclave is genuine. Gramine integrates with Intel's Enhanced Privacy ID (EPID) and Data Center Attestation Primitives (DCAP) to generate verifiable evidence that:
- The enclave code matches a known measurement (hash)
- The hardware is authentic Intel silicon
- No tampering has occurred Remote parties use this to establish trust before sending secrets into the enclave.
Enclave Sealing
Gramine provides APIs for sealing data to persistent storage. Sealing encrypts data with a key derived from the enclave's identity and the CPU's Root Seal Key, ensuring:
- Only the same enclave on the same platform can decrypt it
- Data at rest is cryptographically bound to the enclave
- The host OS cannot read sealed blobs This enables stateful confidential applications that survive restarts.
Side-Channel Resistance
Gramine must contend with SGX's exposure to side-channel attacks like L1 Terminal Fault (L1TF) and Microarchitectural Data Sampling (MDS). The library OS implements mitigations including:
- Retpoline and LFENCE-based indirect branch control
- Page table isolation to prevent host snooping
- Constant-time cryptographic operations
- Integration with Intel's microcode patches Understanding these defenses is critical for security-sensitive deployments.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us