Confidential Computing
Aleph Cloud supports confidential virtual machines, secured with AMD SEV (Secure Encrypted Virtualization). This technology is also known as TEE (Trusted Execution Environment) and provides enhanced security for your workloads.
What is Confidential Computing?
Confidential computing is a cloud computing technology that isolates sensitive data in a protected CPU environment during processing. With confidential computing on Aleph Cloud:
- Both the memory (RAM) and the disk are fully encrypted by the CPU
- No one can see what happens in a virtual machine from the outside, not even the node operator
- Your data and code remain private and secure throughout the entire computation process
- The integrity of your application is protected against tampering
How It Works
Aleph Cloud's confidential computing implementation uses AMD SEV technology to create a hardware-based trusted execution environment:
- The CPU generates encryption keys that are not accessible to the operating system or hypervisor
- All data in RAM is encrypted and decrypted in real-time by the CPU
- The disk image is encrypted before being deployed to the network
- The virtual machine boots in a secure environment with encrypted memory and storage
- Even with root access to the host machine, operators cannot access the data inside the VM
Use Cases
Confidential computing is ideal for applications that process sensitive data:
- Financial applications handling transaction data
- Healthcare applications processing patient information
- Applications working with intellectual property or trade secrets
- Blockchain validators and nodes requiring enhanced security
- Multi-party computation where data privacy is essential
Getting Started with Confidential Computing
To use confidential computing on Aleph Cloud, you'll need to:
- Understand the requirements
- Create an encrypted disk image
- Deploy a confidential instance on Aleph Cloud
Requirements
To create a confidential virtual machine, you'll need:
- A Linux system on x86_64 architecture (not Mac) with IPv6 connectivity
- The following software installed:
- aleph-client command-line tool
- sevctl tool from AMD
- An OpenSSH keypair
- An IPFS Server
- Optional: Qemu to test your VM locally
For detailed installation instructions for these requirements, see the full requirements guide.
Creating an Encrypted Disk Image
The process involves:
- Creating a base disk image
- Installing your application and dependencies
- Encrypting the disk with AMD SEV keys
- Uploading the encrypted image to IPFS
For step-by-step instructions, see the encrypted disk creation guide.
Deploying a Confidential Instance
Once your encrypted disk image is ready, you can deploy it on Aleph Cloud:
- Create a VM instance with the confidential flag enabled
- Specify your encrypted disk image
- Configure networking and other parameters
- Deploy and access your secure instance
For detailed deployment instructions, see the confidential instance creation guide.
Limitations and Considerations
- Confidential computing is currently in beta on Aleph Cloud
- Only AMD SEV is supported (Intel SGX support is planned for future releases)
- There is a small performance overhead compared to regular VMs
- The initial setup process is more complex than standard VMs
Troubleshooting
If you encounter issues with confidential computing, refer to our troubleshooting guide for common problems and solutions.