Microsoft announced Thursday a new feature coming to its Azure cloud platform named “Confidential Compute.” The feature will allow applications running on Azure to keep data encrypted not only when it’s at rest (in storage) or in transit (over a network) but when it’s being computed on in-memory. This ability to encrypt data when it’s in use means that it can be kept secure even from Microsoft’s administrators, government warrants, and hackers.
Confidential Computing will have two modes: one is built on virtual machines while the other uses the SGX (“Software Guard Extensions”) feature found in Intel’s recently introduced Skylake-SP Xeon processors. Both modes will allow applications to ringfence certain parts of their code and data so that they operate in a “trusted execution environment” (TEE). Code and data that are inside a TEE cannot be inspected from outside the TEE.
The virtual machine mode uses the Virtual Secure Mode (VSM) functionality of Hyper-V that was introduced in Windows 10 and Windows Server 2016. With VSM, most parts of an application will run in a regular virtual machine atop a regular operating system. The protected, TEE parts will run in a separate virtual machine containing only a basic stub operating system (enough that it can communicate with the regular VM) and only those parts of the application code that need to handle the sensitive data.
Even if the application gets compromised and an attacker has access to the main VM, data within the VSM TEE will be inaccessible, because Hyper-V keeps virtual machines separate from each other. An attacker would have to compromise Hyper-V itself to break through this isolation.
The SGX mode uses processor features to carve out a TEE within a regular process—no virtual machines necessary. The processor itself will encrypt and decrypt data from memory, such that the data is only decrypted when it’s within the processor itself. With this mode, even Hyper-V’s security isn’t important; the only thing that an application has to trust is the processor and its implementation of SGX. With SGX enclaves, nobody—not even Microsoft—can see the data in the TEE.
Microsoft says that it is working to develop other TEEs, too; one can imagine that a virtual machine-based TEE that used the encrypted memory features of AMD’s Epyc processors, for example, would be of interest.
Azure Confidential Computing-enabled virtual machines will be available through an early access program. The feature will support virtual machines running both Windows and Linux, with an SDK for developers to write portions of their applications to reside within a TEE.