Secrets and Key Management
Confidential computing provides advanced capabilities for protecting secrets and keys whilst they are in-use to enhance the security posture of an application.
Confidential computing enabled services use keys managed by the hardware root of trust to inform Attestation services and encrypt and decrypt data inside the Trusted Execution Environment (TEE).
This is a key part of protection for Confidential virtual machines (CVM) and many other services built upon CVMs like confidential node pools on AKS or data services that support confidential SKUs like Azure Data Explorer.
For example, systems can be configured so that keys are only released once code has proven (via Attestation) that it is executing inside a TEE - this is known as Secure Key Release (SKR) - this powerful feature is useful for applications that need to read encrypted data from Azure blob storage into a TEE where it can be securely decrypted and processed in the clear.
CVMs rely on virtual Trusted Platform Modules (vTPM) you can read more about this in Virtual TPMs in Azure
The Azure Managed HSM offering is built on Confidential Computing technologies and can be used to enhance access control of secrets & keys for an application.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for