Adopting Confidential Computing on Kubernetes
Key Points
- Confidential Computing secures data in use by encrypting and isolating memory within hardware‑based trusted execution environments (enclaves), complementing TLS‑in‑transit and envelope‑at‑rest encryption for true end‑to‑end protection.
- IBM Cloud Data Shield lets you adopt Intel SGX enclaves on Kubernetes or Red Hat OpenShift clusters with no code changes, turning regular container images into SGX‑ready, memory‑encrypted workloads.
- The workflow starts by provisioning SGX‑capable worker nodes, installing the Data Shield Helm chart, and using its API to pull a container image, convert it with Fortanix Runtime Encryption, and push the secure image back to your registry.
- Data Shield’s UI and API integrate seamlessly with existing DevOps pipelines, handling image conversion, deployment configuration updates, and attestation reporting through the cluster’s native PKI.
- This approach aligns with existing cloud‑native strategies and requires no additional developer skills, simplifying the adoption of confidential computing for production applications.
Full Transcript
# Adopting Confidential Computing on Kubernetes **Source:** [https://www.youtube.com/watch?v=xtNpPI9dHio](https://www.youtube.com/watch?v=xtNpPI9dHio) **Duration:** 00:03:17 ## Summary - Confidential Computing secures data in use by encrypting and isolating memory within hardware‑based trusted execution environments (enclaves), complementing TLS‑in‑transit and envelope‑at‑rest encryption for true end‑to‑end protection. - IBM Cloud Data Shield lets you adopt Intel SGX enclaves on Kubernetes or Red Hat OpenShift clusters with no code changes, turning regular container images into SGX‑ready, memory‑encrypted workloads. - The workflow starts by provisioning SGX‑capable worker nodes, installing the Data Shield Helm chart, and using its API to pull a container image, convert it with Fortanix Runtime Encryption, and push the secure image back to your registry. - Data Shield’s UI and API integrate seamlessly with existing DevOps pipelines, handling image conversion, deployment configuration updates, and attestation reporting through the cluster’s native PKI. - This approach aligns with existing cloud‑native strategies and requires no additional developer skills, simplifying the adoption of confidential computing for production applications. ## Sections - [00:00:00](https://www.youtube.com/watch?v=xtNpPI9dHio&t=0s) **Secure Enclaves for Cloud Workloads** - An IBM Cloud security architect outlines how hardware‑based trusted execution environments such as Intel SGX can be integrated—without code changes—into container and Kubernetes workloads using IBM Cloud Data Shield to provide end‑to‑end data protection. ## Full Transcript
Confidential Computing protects your data in use through hardware based trusted execution
environments, otherwise called enclaves, but how do you adopt these secure enclaves to
truly protect your applications end to end? How does this align with your container or
Kubernetes strategy? And do you need new skills or additional DevOps workflows to adopt them?
Hi, I am Pratheek Karnati, Security Architect for IBM Cloud. Today, we are going to talk about
Confidential Computing, and specifically, how easy it is to adopt TEEs and to protect your
cloud workloads using IBM Cloud Data Shield. Briefly, let’s talk about Confidential Computing…
At a high-level confidential computing protects data through encryption and isolation of memory,
which complements your data in transit encryption (using TLS) and at rest encryption (envelope
encryption using a root key) for a true end to end data protection. And this cryptographic
isolation of memory happens either at VM or at process level. You can think of it as a
VM level cryptographic isolation or a process level cryptographic isolation. For today, let’s
focus on process level cryptographic solutions… …or secure enclaves… let’s look at Intel Software
Guard Extensions (SGX) and how Data Shield can help you adopt Intel SGX with no code changes!
Intel Software Guard Extensions (SGX) is a set of security-related instruction codes that are
built into some modern Intel central processing units (CPUs). They allow user-level as well
as operating system code to define private regions of memory, again enclaves, whose contents are
protected and unable to be either read or saved by any process outside the enclave itself, including
processes running at higher privilege levels. So, where do you begin?
First, you start with the Kubernetes cluster. You can provision either an IBM Kubernetes Service
or Red Hat Open Shift on IBM Cloud cluster with Intel SGX capable worker nodes. Next,
you install Data Shield helm chart on your cluster. This installs your own dedicated
single tenant Data Shield instance on your cluster, which includes an UI and an API.
The API seamlessly aligns with your cloud native strategy and integrates with your
DevOps pipelines to convert your container images to Intel SGX capable secure enclave counterparts,
using industry’s best Runtime Encryption technology from Fortanix! Data Shield pulls
your container image from your registry, converts and pushes the new image back to your registry,
without you having to make any code changes! You can now update your Kubernetes deployment yaml
and deploy your new runtime memory encrypted application to your cluster.
And yes, Data Shield also takes the complexity away from attestation
and presents you the attestation report through a Public Key Infrastructure native to
your cluster. This gives you the additional layer of technical assurance you need.
The UI helps with user access management, presents you with the attestation reports,
gives you privileges to allow or deny a certain enclave, and even has an intuitive tool to convert
your application for a quick demo or a PoC. To recap, Data Shield is a single tenant
software that runs on your Kubernetes cluster and helps you adopt Intel SGX secure enclaves
with technical assurance through attestation reports and with no code changes.