Con­fi­den­tial Com­pute Con­tain­ers for the cloud

Con­fi­den­tial Com­put­ing is a new pro­gram­ming par­a­digm enabling the devel­op­ment of data-in-use encrypt­ed and authen­ti­cat­ed appli­ca­tions in any on-premise, pri­vate or pub­lic cloud envi­ron­ment. Through hard­ware-grad­ed cryp­tog­ra­phy, con­tainer­ized appli­ca­tions are iso­lat­ed from run­ning on the same phys­i­cal plat­form in light of an untrust­ed or com­pro­mised under­ly­ing host soft­ware stack.

Tech­nol­o­gy Features

enclaive-memory-encryption

In-Use Mem­o­ry Encryption

Con­fi­den­tial Con­tain­ers lever­age mod­ern x86 proces­sor archi­tec­tures enriched with cryp­to­graph­ic algo­rithms, ded­i­cat­ed key stor­age reg­is­ters and a mem­o­ry man­age­ment unit with the spe­cial abil­i­ty to allo­cate phys­i­cal mem­o­ry for encrypt­ed process­es, called enclaves.

Once a con­tain­er is loaded into encrypt­ed mem­o­ry, the CPU exclu­sive­ly has the abil­i­ty to decrypt instruc­tions from the mem­o­ry. The key mate­r­i­al is gen­er­at­ed at ran­dom dur­ing boot and is stored in spe­cial reg­is­ters inac­ces­si­ble to soft­ware. Before a write-back to mem­o­ry occurs, the CPU re-encrypts the result.

The ide­al use case for mem­o­ry encryp­tion is black-box­ing vari­ables, data, code, files or APIs through­out the run­time, such as query­ing a data­base or a ML network.

Remote Attes­ta­tion

In untrust­ed exe­cu­tion envi­ron­ments mem­o­ry encryp­tion is insuf­fi­cient. Mali­cious envi­ron­ments may replace the con­tain­er before exe­cu­tion. To this end, con­fi­den­tial con­tain­ers have a unique cryp­to­graph­ic iden­ti­ty obtained from the author dur­ing build.

Local attes­ta­tion is a cryp­to­graph­ic pro­to­col to local­ly ver­i­fy the con­tain­er iden­ti­ty. The CPU takes the role of a trust­ed audi­tor and mea­sures the fin­ger­print of the enclaved application.

Remote attes­ta­tion goes one step fur­ther and allows a remote user to authen­ti­cate the con­tain­er. The pro­to­col resem­bles the con­cept of local attes­ta­tion to gen­er­ate a cryp­to­graph­ic report with the aim of prov­ing to a remote par­ty the plat­form has exe­cut­ed the right container.

The ide­al use case for remote attes­ta­tion is the assur­ance of prop­er con­tain­er exe­cu­tion in cloud envi­ron­ments and com­pli­ance with regulations/security stan­dards (e.g. ISO/IEC 27001, GDPR).

Key Pro­vi­sion­ing & Management

Con­fi­den­tial con­tain­ers load a pro­gram into the mem­o­ry before exe­cu­tion. While remote attes­ta­tion safe­guards the authen­tic­i­ty and integri­ty, the approach does not pre­vent the untrust­ed envi­ron­ment from scru­ti­niz­ing the con­tain­er image and reverse-engi­neer­ing secrets.

A rule of thumb is to load con­fi­den­tial con­tain­ers into encrypt­ed mem­o­ry with­out secrets, and pro­vi­sion with a remote­ly attest­ed secure chan­nel pro­to­col secrets into the enclaive. A key man­age­ment serv­er first remote­ly attests the con­fi­den­tial and prop­er exe­cu­tion of the con­tain­er, before estab­lish­ing a secure con­nec­tion into the enclave.

The ide­al use case is to trans­port secrets, set vari­ables, or update files in an enclave.

Con­fi­den­tial Con­tain­ers in Action

Con­fi­den­tial Cloud Con­tain­ers in Use: Demonstations

9 Videos

Are you excit­ed and inter­est­ed to try out?
Get start­ed with the Com­mu­ni­ty Edition

Con­fi­den­tial vs. Non-Con­fi­den­tial Container

In the last decade, con­tain­er tech­nolo­gies have estab­lished and sim­pli­fied the deploy­ment, inte­gra­tion and man­age­ment of soft­ware in the cloud. In fact, they are the cor­ner­stone in the devel­op­ment of cloud appli­ca­tions. Con­fi­den­tial Com­pute Con­tain­ers are the nat­ur­al evo­lu­tion, com­pat­i­ble with DevOps best prac­tice like Dock­er and Kuber­netes, how­ev­er they add some impor­tant functionality:

  • in-mem­o­ry encrypt­ed exe­cu­tion to con­ceal data and code
  • encrypt­ed and authen­ti­cat­ed (shared) volume/files to per­sis­tent­ly store data
  • con­tain­er authen­ti­ca­tion to iden­ti­fy the author and content
  • con­tain­er attes­ta­tion to remote­ly ver­i­fy the con­tain­er identity
  • con­tain­er (secret) pro­vi­sion­ing to update the volume
Stan­dard Enclaived
Con­tain­er Execution
Con­tain­er Encrypt­ed Execution
File/volume
File/volume Authen­ti­ca­tion
File/volume Encryp­tion
Con­tain­er Authenication
Con­tain­er Attestation
Con­tain­er (Secret) Provisioning

Build Con­fi­den­tial Apps

Build­ing con­fi­den­tial com­pute appli­ca­tions has nev­er been eas­i­er with enclaive’s con­tain­er port­fo­lio, cov­er­ing “the base” of the open source stack. From servers and data­base to back­end run­times, enclaive’s con­tain­ers ease the devel­op­ment of Web, mobile and cloud appli­ca­tions and reduce the entry bar­ri­er for the deploy­ment in a zero-trust infra­struc­ture while giv­ing data and code the safest harbour.

Mon­goDB
Mari­aDB
ArangoDB
Redis
nginx-sgx
Nginx
Mosquit­to
Rust
C#
c-original
C
C++
PHP-logo
PHP
python-logo
Python
nodejs-logo
Node­Js
Ruby_logo
Ruby
Java-Logo
Java
golang-logo
Go
WordPress_logo
Word­Press
umami-logo
Uma­mi
Tensorflow_logo
Ten­sor­flow
pytorch-logo
Pytorch
drupal-logo
Dru­pal
Joomla-Logo
Joom­la
Magento_Logo
Magen­ta
Logo_TYPO3
Typo3

Adopt Con­fi­den­tial Con­tain­ers at Scale with enclaive

Avail­able self-host­ed or in the cloud, see how it works. 

Contact us

Cookie Consent with Real Cookie Banner