Tinfoil Enclaves: A Technical Overview

Tinfoil makes it easy to run programs and applications in an isolated and confidential computing environment called enclaves, providing strong confidentiality, integrity, and transparency guarantees to your workloads. When your SaaS application is deployed using Tinfoil, your users can verify these guarantees for themselves, and don't need to trust anyone with their personal data. Tinfoil enclaves support a wide range of applications, from simple functions to large AI workloads running with bare-metal performance on state-of-the-art NVIDIA GPUs.

How are we different?

Tinfoil provides the highest levels of security that are currently available in cloud computing.

By deploying your workloads on Tinfoil, you have the guarantee that all potentially sensitive or proprietary data of your customers remains secure while processed in a secure hardware enclave. Importantly, your users and customers can easily verify these claims for themselves using Tinfoil's verification tools, giving them the confidence that their data remains completely under their control at all times.

The pitch is simple: you continue to deploy and deliver your services as before, Tinfoil ensures that your deployments are running in a secure and confidential environment that is publicly verifiable. This makes you resilient — out of the box — against entire categories of security threats, including data breaches, ransomware attacks and social engineering. Whether serving individual users or enterprise customers, Tinfoil's infrastructure delivers the highest level of security without you needing to implement complex security protocols or having to deploy custom on-premise solutions.

What are enclaves?

Secure enclaves, sometimes called Trusted Execution Environments or TEEs, are hardware security features that create hardware-level isolation for programs. Compatible processors and GPUs developed by NVIDIA, AMD, or Intel can be configured to establish a completely separate environment within the server, where both the program and data remain encrypted and inaccessible — even to the server's own operating system, hypervisor, or to the broader cloud infrastructure including the cloud administrators. You can think about it as an architecturally-isolated bare metal machine inside a server.

Why are enclaves hard to use?

Trusted execution environments have been around for a few years, but their complexity has prevented widespread adoption despite the necessary hardware mechanisms being available on modern server-grade machines. Tasks that are straightforward in normal environments, like accessing memory or an external GPU, become significant engineering challenges in an isolated environment. Tinfoil is the antidote to this complexity, handling all the hardware, technical implementation details, building the required infrastructure to make these technologies easy to use, and making sure you get security right. Tinfoil allows you to focus on building your application while leveraging the full security benefits of confidential computing.

Advantages of building with Tinfoil

Confidentiality

Tinfoil's isolation technology provides significantly stronger data protection than traditional SaaS deployment on cloud. In a standard setup, a SaaS provider (OpenAI, Cursor or yourself) deploys their application on a virtual machine managed by a cloud provider. When a client queries the service, it sends its private data to server and exposes it to the SaaS provider and the cloud provider.

First, standard cloud providers (AWS, Azure, Google Cloud) rely on virtualization to provide isolation between virtual machines. The hypervisor (a privileged piece of software responsible for managing all the hardware resources) is under the cloud provider's control and can access all the resources which gives them visibility into the sensitive data and workloads.

Second, there are no restrictions on the SaaS provider's ability to access the sensitive data. They usually have SSH access to the virtual machine and can access all their user's data. Some access control might exist, but these solutions stay in the realm of what we call "pinky promise" security.

Tinfoil's enclaves provide hardware-level isolation for sensitive workloads. This means your users' private data remains completely separated from the cloud provider, intermediate services (e.g., Tinfoil), and even your own organization. This solution provides the highest level of confidentiality for your users, as they do not need to trust anyone to handle their data correctly. You can give your users the peace of mind that their data is safe by guaranteeing it is not being collected, trained on or sold to third parties.

Integrity

TEEs are also great at creating a proof of their internal state to enforce code and data integrity. Using a combination of cryptographic hashes and signatures, they can prove to be authentic (running on hardware endorsed by NVIDIA, Intel or AMD), measure their configuration, and uniquely identify the code they are running. This makes it possible to prove that the correct application is running inside a trusted Tinfoil enclave and that it is correctly isolated from the cloud provider and other services. When users connect to your service, their devices automatically verify the Tinfoil enclave's attestation proof through a series of cryptographic checks. This process guarantees that your application is running in a genuine, properly configured enclave with all security measures in place and can be publicly re-verified at any time.

Transparency

TEEs are able to uniquely identify the code or program they run, but how can your clients trust this code does not contain a backdoor, for instance? With Tinfoil, you can provide full (or partial) code transparency to your clients, making it possible for anyone to instantly verify that the code running inside the enclave matches the code that has been published publicly (e.g., on GitHub). To make this process as easy as possible, Tinfoil provides a special execution environment that makes it easy for your application to integrate into our infrastructure. When you publish your application code on GitHub, it is automatically compiled using GitHub Actions and the corresponding binary and cryptographic measurement is published on a transparency log operated by Sigstore. Once your users' devices have verified they are interacting with a genuine Tinfoil enclave, they can fetch the transparency log for a public commitment and verify that the code running inside the enclave matches the code you have published and authorized. Because everything is done automatically, you can always push a new version of your application to be deployed, without having to worry about how all the pieces fit together. You can also invalidate old versions if they become deprecated. Because all public code is committed to a transparency log, your user can trust you, as the code running inside the enclave will always be available to audit.

Conclusion

Tinfoil's enclaves provide the highest level of security that is currently available in cloud computing and make it easy to build and deploy SaaS applications that are secure, private, and transparent.

Stay tuned for more blog posts on how to build with Tinfoil!