Encrypt a program's memory without any SGX hardware #2147

oktaybasak368 · 2025-07-18T11:23:16Z

oktaybasak368
Jul 18, 2025

The environment doesn't provide any SGX hardware, so the program can only run by gramine-direct.
In this case, is it possible to encrypt the program's memory?
For example, there are many sensitive strings in the program's memory. How to make these strings invisible for the host?
Is it possible?

Answered by donporter

Jul 19, 2025

Without hardware enforcement of mutual distrust, the OS kernel will be able to introspect on program memory and read secret data while it is in plaintext. So you can keep these strings in memory as ciphertext, but you can never decrypt them without revealing them to the host. Gramine-direct on such hardware cannot protect secret data from the host.

There are other hardware models of mutual distrust than SGX, such as Intel TDX. But Gramine only supports SGX at the moment.

View full answer

donporter · 2025-07-19T19:14:53Z

donporter
Jul 19, 2025
Maintainer

Without hardware enforcement of mutual distrust, the OS kernel will be able to introspect on program memory and read secret data while it is in plaintext. So you can keep these strings in memory as ciphertext, but you can never decrypt them without revealing them to the host. Gramine-direct on such hardware cannot protect secret data from the host.

There are other hardware models of mutual distrust than SGX, such as Intel TDX. But Gramine only supports SGX at the moment.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Encrypt a program's memory without any SGX hardware #2147

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Encrypt a program's memory without any SGX hardware #2147

Uh oh!

oktaybasak368 Jul 18, 2025

Replies: 1 comment

Uh oh!

donporter Jul 19, 2025 Maintainer

oktaybasak368
Jul 18, 2025

donporter
Jul 19, 2025
Maintainer