Confidential Containers: Why, How, and Where Are We? - Magnus Kulke, Microsoft

Confidential Containers: Why, How, and Where Are We? - Magnus Kulke, Microsoft People on the internet claim that “Cloud is just someone else's computer”. Indeed, the convenience of a cloud provider is offset by a loss of sovereignty over our data. There are ways to mitigate this: Encryption for data in-Transit and at-Rest (e.g., https, dm-crypt) is very common today. However, the data in-Use (i.e. data in CPU registers and memory) is still open to sophisticated attackers or the cloud provider itself. For many sensitive workloads this remains a blocker for adopting cloud solutions. Modern CPUs provide facilities that aim to address this: Confidential Computing (CC), as a set of encryption technologies and processes, limits access to data in-Use to the data owners, locking out everyone else - even the infrastructure providers. It's not trivial to deploy applications into a such an environment and it might require costly customizations. Confidential Containers (CoCo), a CNCF project, aims to democratize the use of CC, by enabling users to "lift-and-shift" their exiting containers with minimal or zero changes to app or infra into a confidential environment. The talk will provide an intro in the principles of Confidential Computing, explain why it's a great fit for containers and describe the project's architecture and technical challenges.