Why Privasys
The trust problem in cloud computing and how Privasys solves it with confidential computing and attested connections.
The Trust Problem
Cloud computing requires handing over your data and code to a third party. Even with encryption at rest and in transit, there is a fundamental gap: data must be decrypted to be processed, and during that window the cloud provider, the host OS, the hypervisor, and any privileged attacker can observe it.
Confidential Computing closes this gap by running workloads inside hardware-enforced Trusted Execution Environments (TEEs). Technologies like Intel SGX, Intel TDX, and AMD SEV-SNP ensure that memory is encrypted, CPU state is isolated, and even a compromised hypervisor cannot peek inside.
But hardware isolation alone is insufficient. A critical question remains:
How does a remote client know it is actually talking to a genuine TEE running the expected code?
The traditional answer, remote attestation, requires custom client-side code, specialised SDKs, and an out-of-band attestation flow that is alien to the browser-based web.
Our Approach: Attested Connections
Privasys takes a different path. Instead of asking every client to speak a custom attestation protocol, we embed the attestation evidence directly into standard TLS certificates. This technique is called RA-TLS (Remote Attestation TLS), and it means:
- Zero client-side changes. Any TLS client, a browser,
curl, a mobile app, can connect without modification. HTTPS just works. - Composable with existing PKI. The certificate is signed by a private CA, chaining into your organisation's existing trust hierarchy.
- Cryptographic binding. The hardware quote's
ReportDatacontains a hash of the TLS public key, making the attestation inseparable from the TLS session. - Verifiable by anyone. A relying party extracts the quote from a standard X.509 extension and verifies it against the chip vendor's attestation infrastructure.
Our Products
Privasys is not a hosted platform. It is open-source infrastructure that you deploy on your own hardware or cloud instances:
Enclave OS
A minimal operating system for hardware-protected environments, available in two editions:
Enclave OS Mini runs inside Intel SGX enclaves. Written entirely in Rust, it provides attested connections, an encrypted key-value store, sealed configuration, and a WASM runtime for running arbitrary business logic inside the enclave. The Trusted Computing Base is approximately 4 MB, the smallest attack surface available.
Enclave OS Virtual runs inside Confidential VMs (Intel TDX, AMD SEV-SNP). Standard Linux, standard tooling, with hardware-encrypted memory and full attestation provided by the Caddy RA-TLS module. No code changes needed, your existing containers run as-is.
Enclave Vaults
Hardware-isolated secrets management that distributes trust across multiple enclave nodes using Shamir's secret sharing. Keys are generated and used exclusively inside secure hardware. Access is controlled through standard OIDC tokens, and every connection is verified through remote attestation. No single party, not even us, can access your secrets.
Enclave Agent
Confidential AI inference inside hardware-protected environments. Models run inside AMD SEV-SNP Confidential VMs with optional NVIDIA H100 Confidential Computing for GPU workloads. Supports private knowledge retrieval, secure agent-to-agent communication via the Model Context Protocol (MCP), and hardware-attested connections to clients.
Privasys Platform
The deployment infrastructure that ties everything together: an attested reverse proxy (Caddy RA-TLS module) for Confidential VMs, verification libraries in six languages (Python, Go, Rust, TypeScript, C#, .NET), an attestation server that independently verifies hardware quotes, and deployment guides for Google Cloud, Azure, and OVH Cloud.
Two Deployment Models
Confidential computing hardware comes in two fundamentally different forms. Rather than force a one-size-fits-all solution, Privasys provides a dedicated stack for each:
| Enclave OS Mini (Intel SGX) | Enclave OS Virtual (Intel TDX / AMD SEV-SNP) | |
|---|---|---|
| What it protects | A single application inside a hardware enclave | An entire virtual machine with encrypted memory |
| Trusted Computing Base | ~4 MB enclave binary | Full Linux VM + application |
| How you deploy | Custom Rust build, SGX SDK, signed enclave | Standard Linux, Caddy RA-TLS module |
| How apps run | WASM modules loaded into the enclave | Any process in the VM; Caddy acts as reverse proxy |
| Attested connection | CA-signed, enclave-generated certificate | CA-signed, TEE-generated certificate |
Choose Enclave OS Mini when you need the smallest possible attack surface and strong per-application isolation, ideal for security-critical workloads where minimising the Trusted Computing Base is paramount.
Choose Enclave OS Virtual when you want to add attestation to existing applications with minimal changes, just place a Caddy reverse proxy inside a Confidential VM and configure the RA-TLS issuer.
Both paths produce standard attested connections verifiable by the same verification libraries. The choice of TEE backend is transparent to clients: they see a normal HTTPS connection either way.
Design Principles
| Principle | How |
|---|---|
| Minimal TCB | The Enclave OS Mini is ~4 MB signed. Only essential code runs inside the enclave. |
| Standard protocols | TLS 1.3, X.509, HTTPS. No custom wire protocols exposed to clients. |
| Defence in depth | Hardware isolation (SGX/TDX) + WASM sandboxing + encrypted storage + Merkle-attested configuration. |
| Open source | All infrastructure is AGPL-3.0. Inspect, audit, and build from source. |
| No vendor lock-in | Deploy on any SGX/TDX/SEV-capable hardware. The Caddy module's Attester interface supports pluggable backends. |
Honest by Design
Traditional cloud requires you to trust the provider. Privasys replaces trust with verification:
- The enclave's identity (MRENCLAVE) proves exactly which code is running.
- The attested connection proves the TLS key was generated inside that enclave.
- The Config Merkle root proves exactly which CA, modules, and applications are loaded.
- All of this is embedded in a standard X.509 certificate that any client can inspect.
Do not trust. Verify.