OC3 registrations are now open! Join the premier event for confidential computing online or in Berlin on March 27.

EdgelessDB

Blog

Announcing EdgelessDB: The First Confidential Database


From small businesses to large enterprises, the public cloud has become an important driver for innovation and cost savings. But the rapid implementation of cloud-based services comes with compliance and security challenges, especially for those industries working with sensitive data.

At Edgeless Systems, we believe that data security is imperative. Our mission is to build easy-to-use, open-source tools that empower you to protect your most valuable data in a cloud-first world.

Today, we are excited to announce the latest addition to our product portfolio: EdgelessDB, the first true confidential database.

EdgelessDB is a full SQL database that runs entirely inside runtime-encrypted Intel SGX enclaves. In contrast to conventional databases, EdgelessDB ensures that all data is always encrypted --- in memory at runtime as well as on disk. It is protected even in the presence of rootkits or rogue cloud administrators. This makes EdgelessDB the most secure and most versatile option available for both storing and processing data.


What is the difference to existing database encryption solutions?


Most secure database solutions today only encrypt data for storage, and at most use a hardware security module (HSM) to store the corresponding cryptographic keys. Such approaches can only protect data at rest. Once the data is decrypted for processing, the confidentiality of sensitive data is no longer guaranteed.

EdgelessDB is the logical next step in hardware-rooted security: the fusion of relational databases and HSMs to protect your keys and your data both at rest and at runtime.

Comparison of EdgelessDB against conventional databases



How is this different from running a conventional database inside a secure enclave?


EdgelessDB is tailor-made for confidential computing. It is based on the battle-proven MariaDB SQL database and the RocksDB storage engine. The file encryption of EdgelessDB is designed and built for the enclave. It provides confidentiality, integrity, freshness, auditability, and recoverability for data. All while delivering great performance and providing virtually unlimited storage capacity.

EdgelessDB: the manifest concept


Another key feature of EdgelessDB is the concept of a manifest. The manifest is defined in JSON and is similar to a smart contract. It defines the initial state of the database, including access control, in an attestable way. It is a key ingredient for a confidential database.


Why you should use EdgelessDB

  • Replace your existing database with EdgelessDB, and its additional layer of security will allow you to shift sensitive databases from on-premises to the cloud.
  • With EdgelessDB, you can build exciting confidential apps by leveraging EdgelessDB's manifest feature and security properties, for example, pooling and analyzing sensitive data between multiple parties.
  • It's super-easy to install and use. Just run the Docker image from GitHub on an SGX-enabled machine.

We cannot wait to see the possibilities this technology will open up for your organization. If you would like to learn more about EdgelessDB, check out the documentation.



Related reading

View all