Confidential Computing and the Public Cloud

Eyal Estrin
Cloud Computing
November 10, 2020

Introduction to data encryption

To protect data stored in the cloud, we usually use one of the following methods:

·        Encryption at transit – Data transferred over the public Internet can be encrypted using the TLS protocol. This method prohibits unwanted participants from entering the conversation.

·        Encryption at rest – Data stored at rest, such as databases, object storage, etc., can be encrypted using symmetric encryption which means using the same encryption key to encrypt and decrypt the data. This commonly uses the AES256 algorithm.


When we wish to access encrypted data, we need to decrypt the data in the computer’s memory to access, read and update the data.

This is where confidential computing comes in – trying to protect the gap between data at rest and data at transit.

Confidential Computing uses hardware to isolate data. Data is encrypted in use by running it in a trusted execution environment (TEE).


As of November 2020, confidential computing is supported by Intel Software Guard Extensions (SGX) and AMD Secure Encrypted Virtualization (SEV), based on AMD EPYC processors.

Comparison of the available options



Reference Architecture

AMD SEV Architecture:


Azure Kubernetes Service (AKS) Confidential Computing:


Data-in-use protection on IBM Cloud using Intel SGX:


·        Confidential Computing: Hardware-Based Trusted Execution for Applications and Data

·        Google Cloud Confidential VMs vs Azure Confidential Computing

·        A Comparison Study of Intel SGX and AMD Memory Encryption Technology

·        SGX-hardware list

·        Performance Analysis of Scientific Computing Workloads on Trusted Execution Environments

·        Helping Secure the Cloud with AMD EPYC Secure Encrypted Virtualization

·        Azure confidential computing

·        Azure and Intel commit to delivering next generation confidential computing

·        DCsv2-series VM now generally available from Azure confidential computing

·        Confidential computing nodes on Azure Kubernetes Service (public preview)

·        Expanding Google Cloud’s Confidential Computing portfolio

·        A deeper dive into Confidential GKE Nodes—now available in preview

·        Using HashiCorp Vault with Google Confidential Computing

·        Confidential Computing is cool!

·        Data-in-use protection on IBM Cloud using Intel SGX

·        Why IBM believes Confidential Computing is the future of cloud security

·        Alibaba Cloud Released Industry's First Trusted and Virtualized Instance with Support for SGX 2.0 and TPM



Eyal Estrin

Eyal Estrin

Author, Cloud Security Architect, Public columnist, Focus onCloud & Cybersecurity

Keep Reading


Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form