Azure confidential computing
Own and control your data in transit and at rest – and extend that control by protecting data in use.Getting started
Choose from the broadest range of confidential HW and SW
Choose VMs based on AMD EPYC 3rd Gen CPUs in order to lift and shift applications without requiring any changes to code, and encrypt your entire VM at runtime. Or choose VMs based on Intel SGX for confidentiality and customisation down to the application level. Utilise Azure services such as our trusted launch feature to measure the integrity of the confidential vm. Add Azure Attestation, a unified solution which verifies the security postures of virtual machines.
Move your existing workloads to Azure and make them confidential without changing any code. With AMD EYPC 3rd Gen technology, the contents of entire virtual machines are opaque to cloud administrators for secure and isolated computation. Our trusted launch feature measures the integrity of the confidential VM. The runtime state of these VMs is fully encrypted, protecting your data even when it’s in use. The keys used for this RAM encryption are generated inside the CPU and never leave it.Watch the video
Optimise for confidentiality at the application level with Intel SGX. Lift and shift existing applications into secure enclaves. Use confidential nodes with containers supported by Azure Kubernetes Service (AKS). Manage keys confidentially using Azure Key Vault with managed HSM. Get runtime support for confidentiality with the Open Neural Network Exchange (ONNX).Watch the video
Secure your sensitive and regulated data while it’s being processed in the cloud by isolating computations in a hardware-based trusted execution environment (TEE). Protect data in use to keep it from being accessed by a cloud service provider, administrator or user. Build on top of secure hardware with familiar tools, software and cloud infrastructure.Watch the video
AI and machine learning require enormous datasets to provide value, but organisations are disincentivised from sharing their data for competitive or regulatory reasons. Azure confidential computing allows organisations to combine datasets confidentially – without exposing data to each contributing organisation – enabling you to share AI and machine learning insights. Upload encrypted data to a secure enclave in a virtual machine and perform algorithms on datasets from multiple sources.Learn more
Explore Azure confidential computing solution architecture
Learn more about Azure confidential computing products and services
VMs built on AMD EYPC 3rd Gen CPUs encrypt entire VMs at runtime and allow “lift and shift” conversion to confidentiality.
Virtual machines built on Intel SGX technology support hardware-based enclave creation.
Expands confidential computing capabilities by enabling in-place encryption and richer confidential queries.
Confidential computing nodes improve security of container applications on AKS.
Protects your virtual machines against bootkits, rootkits and kernel-level malware.
A unified solution for verifying that software binaries were instantiated on a trusted platform.
Get the latest Azure confidential computing news and resources
Customers are protecting data in use with Azure confidential computing
Protecting data for millions of customers
Jim O'Leary, VP of Engineering, Signal
"We utilize Azure confidential computing to provide scalable, secure environments for our services. Signal puts users first, and Azure helps us stay at the forefront of data protection with confidential computing."
Accelerating transactions while protecting data
Joshua Goldbard, CEO, MobileCoin
"Confidential computing rides the edge between what we can imagine and what we can protect. The praxis we've experienced with Azure allows us to commit to systems that are integral, high trust, and performant."
UCSF, Fortanix, Intel and Microsoft utilise privacy-preserving analytics to accelerate AI in health care
Michael Blum, MD, professor of medicine at UCSF
"While we have been very successful in creating clinical-grade AI algorithms that can safely operate at the point of care...the work was time consuming and expensive. ... With this new technology, we expect to markedly reduce the time and cost, while also addressing data security concerns."
Fortanix makes Azure applications confidential
Ambuj Kumar, CEO and Co-founder, Fortanix
"Today, data is often encrypted at rest in storage and in transit across the network, but not while in use. Securing data and code with confidential computing will help customers accelerate the journey to the cloud, while protecting their most valuable data. Azure confidential computing provides the hardware-based security infrastructure needed for our confidential computing platform and applications to excel in the cloud. Fortanix is excited to bring cloud-scale confidential computing to our global customers through our partnership with Microsoft."
Anqlave and Azure provide portable secure enclaves
Assaf Cohen, CEO, Anqlave
"Anqlave's proprietary, institutional-grade modern key management and data encryption solution addresses the most critical security issues we face today. Anqlave Data Vault (ADV) secret management allows users to securely create, store, transport and use its secrets. Leveraging Azure confidential computing allows us to make this technology more accessible to our enterprise customers and easily support their scale. Providing a secure enclave that is portable in the cloud is one the key reasons why our enterprises prefer to host their ADV on Azure confidential computing regardless of their other cloud infrastructure."
Anjuna makes Azure applications confidential
Ayal Yogev, CEO, Anjuna Security
"Insider threats are a clear and present danger to cloud computing. Azure confidential computing with enterprise-ready enclaves protects companies from insiders with a new level of simplicity. The time for enterprises to start POCs is now."
Frequently asked questions
In the same way that Diffie-Helman private-key encryption tackled the challenge of protecting data at rest, and the Internet Engineering Task Force (IETF) tackled the challenge of protecting data in transit with Transport Layer Security (TLS), confidential computing protects data in use. One of the ways in which it can be implemented today is through the use of trusted execution environments (TEEs). Confidential computing can also be implemented through Azure Kubernetes Service (AKS).
Confidential computing is most commonly used in financial services and health care industries and by government agencies, but every industry can benefit from it.
Prevention of fraud and waste, anti-corruption, anti-terrorism, records and evidence management, intelligence analysis, global weapons systems and logistics management, vulnerable population protection (including child exploitation, human trafficking etc.), anti-money laundering, digital currencies, blockchain, transaction processing, customer analytics, proprietary analytics/algorithm, disease diagnostics, drug development and contact tracing.
Blockchain nodes are run and maintained by operators or validators who wish to ensure integrity and reach consensus on the state of the network. The nodes themselves are replicas and are used to track blockchain transactions. Each node has a full copy of the transaction history, ensuring integrity and availability in a distributed network. Blockchain technologies built on top of confidential computing can use hardware-based privacy to enable data confidentiality and secure computations.
The CCF is one example of a distributed blockchain framework built on top of Azure confidential computing. Spearheaded by Microsoft, this framework leverages the power of trusted execution environments to create a network of remote enclaves for attestation. Nodes can run on top of Azure virtual machines and take advantage of the enclave infrastructure. Through attestation protocols, users of the blockchain can verify the integrity of one CCF node and effectively verify the entire network.