Confidential Computing isolates sensitive data during processing in a protected CPU enclave. The content of the enclave, which are the processed data and the techniques used to process it, are only accessible to authorized programming codes. They are invisible and cannot be viewed by anyone, not even the cloud provider.

In general, data must be unencrypted in memory, befroe it can be processed by an application. This makes data vulnerable to memory queries, root user compromise and other malicious attacks before, during and after processing.

Confidential Computing solves this cybersecurity challenge by using a hardware-based Trusted Execution Environment (TEE), which is a secure enclave within a CPU. The TEE is secured with embedded encryption keys. Embedded confirmation mechanisms ensure that only authorized application code has access to the keys. If malware or other unauthorized code attempts to access the keys, or if the authorized code is hacked or altered in any way, the TEE denies access to the keys and aborts the computing process.

In this way, sensitive data can remain protected in memory until the application instructs the TEE to decrypt the data for processing. While the data is decrypted throughout the computation process, it is invisible to the operating system, the hypervisor in a virtual machine (VM), to other compute stack resources and to the cloud service provider and its employees.