Difference between revisions of "Confidential Computing"

Latest revision as of 17:12, 2 November 2025

Full Title or Meme

The Confidential Computing Consortium is a community focused on projects securing data in use and accelerating the adoption of confidential computing through open collaboration.

Context

Confidential Computing is but one way to create Layered Security.

Solutions

• Microsoft announces Azure Confidential Computing by Vikas Bhatia
• 2024-07-01 Process Isolation described in Privacy in EUDI by Denis Roio

PostgreSQL

Transforming PostgreSQL into a Confidential Database with Confidential Computing^[1]

Turning PostgreSQL into a confidential database means ensuring that **data remains protected even while it's being processed**—not just at rest or in transit. This is where **Confidential Computing** comes in, using **Trusted Execution Environments (TEEs)** to isolate and encrypt data during runtime.

Key Approaches

1. **Azure Confidential Computing (ACC) for PostgreSQL**

- Uses **hardware-based TEEs** (e.g., AMD SEV-SNP or Intel TDX) to isolate memory during query execution. - Data is encrypted at rest, in transit, and **in use**, shielding it from OS, hypervisor, and cloud admins. - Available via **confidential VM SKUs** in Azure Database for PostgreSQL.

1. . **Fortanix Confidential Computing Manager (CCM) on AWS Nitro**

- Deploys PostgreSQL inside **Nitro Enclaves**, which isolate workloads from the host OS. - Fortanix CCM manages enclave lifecycle, attestation, and secure image deployment. - Enables secure query execution and encrypted data handling in AWS environments.

Implementation Highlights

Benefits

• End-to-end encryption**: Data is protected throughout its lifecycle.
• Remote attestation**: Verifies enclave integrity before processing sensitive data.
• Regulatory alignment**: Supports compliance with HIPAA, GDPR, and other data protection laws.

Google Protected Computing

there is a difference: Confidential Computing is a specific technology focused on protecting data in use via hardware-based isolation, while Google’s Protected Computing is a broader privacy framework that includes Confidential Computing as one of several techniques.

Confidential Computing (General Concept)

Definition: A security model that protects data while it is being processed (i.e., in use), not just at rest or in transit.

How it works: Uses Trusted Execution Environments (TEEs)—secure, hardware-isolated environments (e.g., Intel SGX, AMD SEV).

Goal: Prevent unauthorized access to data even from privileged system software (like hypervisors or cloud providers).

Examples:

• Confidential VMs: Encrypt memory and isolate workloads.
• Confidential GKE Nodes: Extend memory encryption to Kubernetes clusters.
• Confidential Space: Enables secure multi-party computation.

Sources: Google Cloud Confidential Computing

Google’s Protected Computing (Broader Framework)

Definition: Google’s umbrella approach to privacy that includes minimizing data collection, de-identifying data, and restricting access—even from Google itself.

Components:

• Confidential Computing (as above)
• Federated Learning: Training models on-device without centralizing data.
• Differential Privacy: Adding statistical noise to protect individual data points.
• Homomorphic Encryption: Performing computations on encrypted data.
• Private Compute Core: On-device AI processing (e.g., Smart Reply, Live Translate) isolated from apps and OS.
• End-to-End Encryption: For services like Android Backup and Google VPN.

Sources: Google’s Protected Computing overview

Summary of Differences

References

1. ↑ Microsoft Azure Confidential Computing for Azure Database for PostgreSQL (Preview) https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-confidential-computing

Other Material

• Web site
• https://www.linkedin.com/company/confidential-computing/
• Confidential Computing Consortium Governance Documents