Build with SGX enclaves

Azure confidential computing offers DCsv2-series and DCsv3/DCdsv3-series* virtual machines (VMs). These VMs have IntelĀ® Software Guard Extensions (SGX).

Intel SGX technology allows customers to create enclaves that protect data, and keep data encrypted while the CPU processes the data. The operating system (OS) and hypervisor can't access the data. Data center administrators with physical access also can't access the data.

Enclaves concept

Enclaves are secured portions of the hardware's processor and memory. You can't view data or code inside the enclave, even with a debugger. If untrusted code tries to change content in enclave memory, SGX disables the environment and denies the operations. These unique capabilities help you protect your secrets from being accessible in the clear.

Diagram of the VM model, showing data secured in the enclaves.

Think of an enclave as a secured lockbox. You put encrypted code and data inside the lockbox. From the outside, you can't see anything. You give the enclave a key to decrypt the data. The enclave processes and re-encrypts the data, before sending the data back out.

Each enclave has an encrypted page cache (EPC) with a set size. The EPC determines the amount of memory that an enclave can hold. DCsv2-series VMs hold up to 168 MiB. DCsv3/DCdsv3-series* VMs hold up to 256 GB for more memory-intensive workloads.

Note

*DCsv3 and DCdsv3 are in public preview as of November 1, 2021.

For more information, see how to deploy Intel SGX VMs with hardware-based trusted enclaves.

Developing for enclaves

You can use various software tools for developing applications that run in enclaves. These tools help you shield portions of your code and data inside the enclave. Make sure nobody outside your trusted environment can view or modify your data with these tools.

Next Steps