Microsoft Announces Confidential Compute for Azure

Microsoft Azure latest feature will encrypt your files and keep them entirely secret, even from Microsoft.

This week Microsoft revealed a new feature soon to be implemented in its Azure cloud called “Confidential Compute”. Confidential Compute will allow Azure users to keep their data entirely safe whether it’s in storage, running over a  network, and even when it’s being computed in-memory. By allowing users to encrypt data even when in use, ensures that all files and data can be kept completely safe from hackers, governmental warrants and even from Microsoft themselves.

The new features will operate in two modes. The first is for virtual machines. The second mode uses a specific feature in Intel’s new Skylake-SP Xeon processors called Software Guard Extensions (SGX). However, both modes will operate in a completely trusted execution environment (TEE) by allowing applications to ringfence specific parts of code and data. Any code or data within a TEE is impossible to inspect from outside.

The virtual machine mode relies on a certain Hyper-V functionality found in Windows 10 and Windows Server 201 called Virtual Secure Mode (VSM). By using VSM, the majority of any application is able to run in a regular virtual machine in addition to a regular operating system. The parts of the application being run in the TEE section will be run in a separate virtual machine that consists of only a basic operating system that can successfully communicate with the regular VM. The parts of code in the TEE will be those that need to handle sensitive data.

In the event that any application gets compromised and a hacker gains access to the main VM, any data within the TEE will remain inaccessible. Because Hyper-V keeps the two machines separated, a hacker would have to be able to compromise the Hyper-V first before being able to gain access.

The SGX processor will encrypt and decrypt data itself from memory in such a way that the data is only decrypted in the processor. This allows the processor to carve out TEE using regular processes without having to use any virtual machines whatsoever. This makes Hyper-V security less relevant, as the main trust and security issues rest solely between the SGX processor itself and the application in question. Using this unique method of TEE, no one, not even Microsoft will be able to access the data.

According to Microsoft, they are currently developing other TEEs as well. The most noteworthy of this being a TEE based on virtual machines that use the encrypted memory features of AMD’s Epyc processors.

This new Confidential Computing feature in Azure will soon be made available via an early access program. The new feature will be available on both Windows and Linux operating systems with an SDK which will enable developers to write parts of their application within TEEs.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.