Confidential Computing and the Public Cloud

Eyal Estrin ☁️
3 min readNov 9, 2020

What exactly is “confidential computing” and what are the reasons and benefits for using it in the public cloud environment?

Introduction to data encryption

To protect data stored in the cloud, we usually use one of the following methods:

· Encryption at transit — Data transferred over the public Internet can be encrypted using the TLS protocol. This method prohibits unwanted participants from entering the conversation.

· Encryption at rest — Data stored at rest, such as databases, object storage, etc., can be encrypted using symmetric encryption which means using the same encryption key to encrypt and decrypt the data. This commonly uses the AES256 algorithm.

When we wish to access encrypted data, we need to decrypt the data in the computer’s memory to access, read and update the data.

This is where confidential computing comes in — trying to protect the gap between data at rest and data at transit.

Confidential Computing uses hardware to isolate data. Data is encrypted in use by running it in a trusted execution environment (TEE).

As of November 2020, confidential computing is supported by Intel Software Guard Extensions (SGX) and AMD Secure Encrypted Virtualization (SEV), based on AMD EPYC processors.

Comparison of the available options

Reference Architecture

AMD SEV Architecture:

Azure Kubernetes Service (AKS) Confidential Computing:


· Confidential Computing: Hardware-Based Trusted Execution for Applications and Data

· Google Cloud Confidential VMs vs Azure Confidential Computing

· A Comparison Study of Intel SGX and AMD Memory Encryption Technology

· SGX-hardware list

· Performance Analysis of Scientific Computing Workloads on Trusted Execution Environments

· Helping Secure the Cloud with AMD EPYC Secure Encrypted Virtualization

· Azure confidential computing

· Azure and Intel commit to delivering next generation confidential computing

· DCsv2-series VM now generally available from Azure confidential computing

· Confidential computing nodes on Azure Kubernetes Service (public preview)

· Expanding Google Cloud’s Confidential Computing portfolio

· A deeper dive into Confidential GKE Nodes — now available in preview

· Using HashiCorp Vault with Google Confidential Computing

· Confidential Computing is cool!

· Data-in-use protection on IBM Cloud using Intel SGX

· Why IBM believes Confidential Computing is the future of cloud security

· Alibaba Cloud Released Industry’s First Trusted and Virtualized Instance with Support for SGX 2.0 and TPM

About The Author

Eyal Estrin is a cloud and information security architect, the owner of the blog Security & Cloud 24/7, with more than 20 years in the IT industry. You can connect with him on Twitter and LinkedIn



Eyal Estrin ☁️

Author | Cloud Security Architect | AWS Community Builder | Public columnist | CISSP | CCSP | CISM | CDPSE | CISA | CCSK |