Secure enclaves, also identified as , refer to a technique that isolates an environment — processor, memory and storage — with a higher level of security and only provides a limited exchange of information with its surrounding untrusted execution context. For example, a secure enclave at the hardware and OS levels can create and store private keys and perform operations with them such as encrypt data or verify signatures without the private keys leaving the secure enclave or being loaded in the untrusted application memory. Secure enclave provides a limited set of instructions to perform trusted operations, isolated from an untrusted application context.
The technique has long been supported by many hardware and OS providers (including ), and developers have used it in IoT and edge applications. Only recently, however, has it gained attention in enterprise and cloud-based applications. Cloud providers have started to introduce features such as hardware-based secure enclaves: promises TEE-enabled VMs and access through the open-source library to perform trusted operations. Similarly, , still in beta, allow using VMs with data encryption in memory, and is following them with its upcoming preview release. With the introduction of cloud-based secure enclaves and confidential computing, we can add a third pillar to data protection: in rest, in transit and now in memory.
Even though we're still in the very early days of secure enclaves for enterprise, we encourage you to consider this technique, while staying informed about known that can compromise the secure enclaves of the underlying hardware providers.