Secure Enclave
What is Secure Enclave?
Secure EnclaveA hardware-isolated, integrity-protected region of a processor or system-on-chip that runs sensitive code and stores keys outside the reach of the main operating system.
A secure enclave is a tamper-resistant compute environment built directly into silicon. Its memory is encrypted and access-controlled by the CPU, and its code is measured at boot so a remote party can attest to exactly what is running. Operating systems, hypervisors, and even privileged administrators cannot peek at enclave state. Enclaves host high-value secrets and operations such as cryptographic keys, biometric matching, DRM, attestation, and increasingly cloud workloads through confidential VMs. In cloud security they enable BYOK / HYOK key services, secure multi-party computation, and isolated key handling for services that would otherwise be exposed to the cloud operator. Examples include Apple's Secure Enclave, Intel SGX, AMD SEV-SNP, and AWS Nitro Enclaves.
● Examples
- 01
Apple Secure Enclave in iPhones, used for Face ID and key storage.
- 02
Intel SGX enclave protecting a private key inside a cloud VM.
● Frequently asked questions
What is Secure Enclave?
A hardware-isolated, integrity-protected region of a processor or system-on-chip that runs sensitive code and stores keys outside the reach of the main operating system. It belongs to the Cloud Security category of cybersecurity.
What does Secure Enclave mean?
A hardware-isolated, integrity-protected region of a processor or system-on-chip that runs sensitive code and stores keys outside the reach of the main operating system.
How do you defend against Secure Enclave?
Defences for Secure Enclave typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Secure Enclave?
Common alternative names include: Hardware enclave, Trusted enclave.