End-To-End Confidentiality with Sev-Snp Leveraging in-Memory Storage

Confidential computing ensures data in-use protection in untrusted cloud environments, yet securing data atrest typically relies on Full Disk Encryption (FDE), which imposes significant performance overhead. This work proposes an alternative in-memory storage approach that eliminates FDE by leveragi...

Full description

Saved in:
Bibliographic Details
Published inIEEE European Symposium on Security and Privacy Workshops (Online) pp. 414 - 421
Main Authors Brescia, Lorenzo, Colonnelli, Iacopo, Schiavoni, Valerio, Felber, Pascal, Aldinucci, Marco
Format Conference Proceeding
LanguageEnglish
Published IEEE 30.06.2025
Subjects
Cloud computing
Data protection
Encryption
Protection
Runtime
Secure storage
Security
Throughput
Virtual machines
Online AccessGet full text
ISSN2768-0657
DOI10.1109/EuroSPW67616.2025.00054

Cover

More Information
Summary:Confidential computing ensures data in-use protection in untrusted cloud environments, yet securing data atrest typically relies on Full Disk Encryption (FDE), which imposes significant performance overhead. This work proposes an alternative in-memory storage approach that eliminates FDE by leveraging SEV-SNP confidential virtual machines (CVMs). Our framework extends SNPGuard, an open-source platform for booting and attesting SEV-SNP VMs, to manage workload execution using temporary file systems (tmpfs), inherently secured by CVM memory encryption. By enabling seamless deployment of Docker based applications, our approach improves runtime and throughput by 20 % on average, with peak gains of 45 % in read-only database workloads. These findings establish in-memory storage as a secure and performant alternative to FDE for handling temporary intermediate data in storage intensive workflows, laying the foundation for future research in this direction.
ISSN:2768-0657
DOI:10.1109/EuroSPW67616.2025.00054