Add Confidential Computing Support for Document Intelligence SDK #41738
Description
Industry and healthcare clients processing sensitive documents (IDs, medical records, contracts) require end-to-end encryption including during AI analysis. Currently, the SDK lacks native integration with Azure Confidential Computing (DCsv3 VMs/Intel SGX). This forces developers to implement manual workarounds like:
Path: /sdk/documentintelligence/azure-ai-documentintelligence
Building custom proxy middleware on DCsv3 VMs
Handling encryption/decryption before/after Document Intelligence calls
Managing complex key rotation workflows
In enterprise deployments processing 50K+ docs/month (AI Document Explorer), this adds 35% latency and increases infrastructure costs by 40%. More critically, it blocks adoption in GCC High/IL5+ environments where in-use data protection is mandatory.
Add a confidential_compute parameter to the DocumentIntelligenceClient initialization:
python
client = DocumentIntelligenceClient(
endpoint=ENDPOINT,
credential=CREDENTIAL,
confidential_compute=True # NEW PARAMETER
)
This should:
Auto-route processing to Intel SGX enclaves (DCsv3 VMs)
Integrate with Azure Key Vault Managed HSM for key management
Provide GCC High compliance documentation in SDK reference
Maintain backward compatibility (default=False)
Describe alternatives you've considered
Current workaround:
python
Manual proxy implementation
from custom_confidential_proxy import SecureProxyClient
proxy = SecureProxyClient(DocumentIntelligenceClient) # Adds 35% latency
Meets compliance requirements
High maintenance (key rotation, VM scaling)
35% latency penalty
Client-side encryption:
python
encrypted_doc = encrypt(doc, KEK) # Before sending
result = client.analyze(encrypted_doc)
decrypted_result = decrypt(result) # After response
No service changes needed
Breaks document structure analysis
Incurs 2x bandwidth costs
Wait for service-side solution:
Forces insecure cleartext processing today