Looking for enclaive's confidential multi-cloud solution. Click here.
Confidential Compute Containers for the cloud
Confidential Computing is a new programming paradigm enabling the development of data-in-use encrypted and authenticated applications in any on-premise, private or public cloud environment. Through hardware-graded cryptography, containerized applications are isolated from running on the same physical platform in light of an untrusted or compromised underlying host software stack.
Technology Features
In-Use Memory Encryption
Confidential Containers leverage modern x86 processor architectures enriched with cryptographic algorithms, dedicated key storage registers and a memory management unit with the special ability to allocate physical memory for encrypted processes, called enclaves.
Once a container is loaded into encrypted memory, the CPU exclusively has the ability to decrypt instructions from the memory. The key material is generated at random during boot and is stored in special registers inaccessible to software. Before a write-back to memory occurs, the CPU re-encrypts the result.
The ideal use case for memory encryption is black-boxing variables, data, code, files or APIs throughout the runtime, such as querying a database or a ML network.
Remote Attestation
In untrusted execution environments memory encryption is insufficient. Malicious environments may replace the container before execution. To this end, confidential containers have a unique cryptographic identity obtained from the author during build.
Local attestation is a cryptographic protocol to locally verify the container identity. The CPU takes the role of a trusted auditor and measures the fingerprint of the enclaved application.
Remote attestation goes one step further and allows a remote user to authenticate the container. The protocol resembles the concept of local attestation to generate a cryptographic report with the aim of proving to a remote party the platform has executed the right container.
The ideal use case for remote attestation is the assurance of proper container execution in cloud environments and compliance with regulations/security standards (e.g. ISO/IEC 27001, GDPR).
Key Provisioning & Management
Confidential containers load a program into the memory before execution. While remote attestation safeguards the authenticity and integrity, the approach does not prevent the untrusted environment from scrutinizing the container image and reverse-engineering secrets.
A rule of thumb is to load confidential containers into encrypted memory without secrets, and provision with a remotely attested secure channel protocol secrets into the enclaive. A key management server first remotely attests the confidential and proper execution of the container, before establishing a secure connection into the enclave.
The ideal use case is to transport secrets, set variables, or update files in an enclave.
Are you excited and interested to try out?
Get started with the Community Edition
Confidential vs. Non-Confidential Container
In the last decade, container technologies have established and simplified the deployment, integration and management of software in the cloud. In fact, they are the cornerstone in the development of cloud applications. Confidential Compute Containers are the natural evolution, compatible with DevOps best practice like Docker and Kubernetes, however they add some important functionality:
- in-memory encrypted execution to conceal data and code
- encrypted and authenticated (shared) volume/files to persistently store data
- container authentication to identify the author and content
- container attestation to remotely verify the container identity
- container (secret) provisioning to update the volume
| Standard | Enclaived | ||
|---|---|---|---|
|
Container Execution |
|
|
|
|
Container Encrypted Execution |
|
|
|
|
File/volume |
|
|
|
|
File/volume Authentication |
|
|
|
|
File/volume Encryption |
|
|
|
|
Container Authenication |
|
|
|
|
Container Attestation |
|
|
|
|
Container (Secret) Provisioning |
|
|
|
Build Confidential Apps
Building confidential compute applications has never been easier with enclaive’s container portfolio, covering “the base” of the open source stack. From servers and database to backend runtimes, enclaive’s containers ease the development of Web, mobile and cloud applications and reduce the entry barrier for the deployment in a zero-trust infrastructure while giving data and code the safest harbour.
Adopt Confidential Containers at Scale with enclaive
Available self-hosted or in the cloud, see how it works.