Skip to content

Confidential Computing with SCONE

Kubernetes Support added (2020-05-28)

SCONE supports deploying confidential applications to Kubernetes. We explain the basic concepts and we describe how to deploy confidential applications with helm. See also our deep-dive tutorial to show how to build and run an encrypted Python program in a Kubernetes deployment. This tutorial demonstrates some new features such as policy-based certificate generation and injection. We will add a 2nd part that will show not only how to simplify this but also provide extra security using the commercial version of SCONE.

New Performance Features of SCONE Platform (2020-05-10)

SCONE has excellent performance and excellent security. For some applications like TensorFlow Lite and MariaDB it can actually be used as an accelerator, i.e., it runs faster inside SGX enclaves than natively outside (because we provide, e.g., optimized thread management and synchronization). For confidential High Performance Computing (cHPC) we added more CPU affinity features to support the tuning options used in this domain.

Introduced semantic versioning for SCONE Platform (2020-04-29)

We started to release new verions of the SCONE platform with a fixed period (right now every week). Scone semantic versioning permits clients/users of the SCONE platform to upgrade to new versions in their own speed.

Provide a performance monitoring tool (TEEMon) for SGX-based applications (2020-02-02)

We develop TEEMon - a real-time performance monitoring and analysis tool for Intel SGX-based applications. We integrate TEEMon with Kubernetes to monitor the performance of an application with 1000s SGX enclaves.

Support for most major AI Frameworks and GPU support (2019-11-02)

SCONE supports not only TensorFlow and TensorFlow Lite inside SGX enclaves but also most other frameworks like OpenVino and PyTorch and Scikit-Learn etc. You can use in combinations with GPUs if your objective is to protect your models / Python code. Send us an email to learn more.

SCONE Executive Summary

The SCONE confidential computing platform facilitates always encrypted execution: one can run services and applications such that neither the data nor the code is ever accessible in clear text - not even for root users. Only the application code itself can access the unencrypted data and code. SCONE simplifies the task of encrypting the input, executing the service/application in encrypted memory on an untrusted host, transparently encrypting the output and shipping the output back to the client.

SCONE (Secure CONtainer Environment) supports the execution of confidential applications inside of containers running inside a Kubernetes cluster (example). SCONE also supports the execution of confidential applications inside of VMs (e.g., on top of Windows10) as well as directly on a host (baremetal). SCONE supports all common programming languages. It also supports air-gapped systems both with SGXv1 as well as SGXv2.

The memory size of SCONE-based applications can be up to 32GB on current SGX-capable CPUs. The specifications published by Intel shows that upcoming CPUs will support even larger enclaves and SCONE will - on these CPUs - support applications with basically unlimited memory sizes.

SCONE Workflow

SCONE helps to ensure that data, communications, code and the main memory is always encrypted. To do so, SCONE needs to verify (i.e., attest) that the expected application code is running in a trusted execution environment on a potentially untrusted host. Read our secure remote execution tutorial to see how to perform an encrypted remote execution in a single step. In this way, one can even execute encrypted code. We show how to execute encrypted Python scripts in the context of blender, an encrypted wordcount and a hello world program.

SCONE Workflow

SCONE can help you to encrypt your input and output data on your local computer. The keys are managed with the help of SCONE CAS (Configuration and Attestation Service). SCONE CAS itself runs, of course, inside an enclave. It can either run on the client side or on a remote host. It can even be operated by an untrusted entity and still be trusted by CAS clients.


SCONE supports multiple stakeholders (confidential multiparty computation) that do not necessarily trust each other. SCONE supports users, service providers, application providers, data providers and infrastructure providers. They can all work together and SCONE can ensuring that each party can protect its own intellectual property. Some of the services, like SCONE CAS, can be actually operated by not necessarily trusted stakeholders since clients can verify that the services are in the correct state.

If you are interested in confidential multi-party computations, we can give you access to a proof of concept that shows how to protect AI models and provide access control to the model, e.g., can only be executed on certain machines and only certain arguments can be provided by the user - depending on a given SCONE policy. Just send us an email.

SCONE Stakeholders