CINECA IRIS Institutional Research Information System

Confidential computing ensures data in-use protection in untrusted cloud environments, yet securing data at-rest typically relies on Full Disk Encryption (FDE), which imposes significant performance overhead. This work proposes an alternative in-memory storage approach that eliminates FDE by leveraging SEV-SNP confidential virtual machines (CVMs). Our framework extends SNPGuard, an open-source platform for booting and attesting SEV-SNP VMs, to manage workload execution using temporary file systems (tmpfs), inherently secured by CVM memory encryption. By enabling seamless deployment of Docker based applications, our approach improves runtime and throughput by 20% on average, with peak gains of 45% in read-only database workloads. These findings establish in-memory storage as a secure and performant alternative to FDE for handling temporary intermediate data in storage intensive workflows, laying the foundation for future research in this direction.

End-To-End Confidentiality with Sev-Snp Leveraging in-Memory Storage

Lorenzo Brescia
First
;Iacopo Colonnelli;Marco Aldinucci
2025-01-01

Abstract

Confidential computing ensures data in-use protection in untrusted cloud environments, yet securing data at-rest typically relies on Full Disk Encryption (FDE), which imposes significant performance overhead. This work proposes an alternative in-memory storage approach that eliminates FDE by leveraging SEV-SNP confidential virtual machines (CVMs). Our framework extends SNPGuard, an open-source platform for booting and attesting SEV-SNP VMs, to manage workload execution using temporary file systems (tmpfs), inherently secured by CVM memory encryption. By enabling seamless deployment of Docker based applications, our approach improves runtime and throughput by 20% on average, with peak gains of 45% in read-only database workloads. These findings establish in-memory storage as a secure and performant alternative to FDE for handling temporary intermediate data in storage intensive workflows, laying the foundation for future research in this direction.
2025
2025 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
Venice
July 4
2025 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
IEEE
414
421
confidential computing, trusted execution environments (TEE), end-to-end confidentiality, AMD SEV-SNP, in-memory storage
Lorenzo Brescia; Iacopo Colonnelli; Valerio Schiavoni; Pascal Felber; Marco Aldinucci
04A-Conference paper in volume
File in questo prodotto:
File Dimensione Formato  
systex25-final82.pdf

Accesso aperto

Descrizione: Articolo
Tipo di file: POSTPRINT (VERSIONE FINALE DELL’AUTORE)
Dimensione 390.8 kB
Formato Adobe PDF
Visualizza/Apri
390.8 kB Adobe PDF Visualizza/Apri
End-To-End_Confidentiality_with_Sev-Snp_Leveraging_in-Memory_Storage.pdf

Accesso riservato

Descrizione: PDF Editoriale
Tipo di file: PDF EDITORIALE
Dimensione 367.36 kB
Formato Adobe PDF
  Visualizza/Apri   Richiedi una copia
367.36 kB Adobe PDF   Visualizza/Apri   Richiedi una copia

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2318/2093251
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact