You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-edge/deploy-confidential-applications.md
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,8 +4,8 @@ description: Use the Open Enclave SDK and API to write confidential applications
4
4
author: PatAltimore
5
5
ms.service: azure-iot-edge
6
6
services: iot-edge
7
-
ms.topic: conceptual
8
-
ms.date: 04/08/2024
7
+
ms.topic: concept-article
8
+
ms.date: 05/08/2025
9
9
ms.author: patricka
10
10
---
11
11
@@ -15,29 +15,29 @@ ms.author: patricka
15
15
16
16
Azure IoT Edge supports confidential applications that run within secure enclaves on the device. Encryption provides security for data while in transit or at rest, but enclaves provide security for data and workloads while in use. IoT Edge supports Open Enclave as a standard for developing confidential applications.
17
17
18
-
Security is an important focus of the Internet of Things (IoT) because often IoT devices are often out in the world rather than secured inside a private facility. This exposure puts devices at risk for tampering and forgery because they are physically accessible to bad actors. IoT Edge devices have even more need for trust and integrity because they allow for sensitive workloads to be run at the edge. Unlike common sensors and actuators, these intelligent edge devices are potentially exposing sensitive workloads that were formerly only run within protected cloud or on-premises environments.
18
+
Security is an important focus of the Internet of Things (IoT) because IoT devices are often out in the world rather than secured inside a private facility. This exposure puts devices at risk for tampering and forgery because they are physically accessible to bad actors. IoT Edge devices need more trust and integrity because they run sensitive workloads at the edge. Unlike common sensors and actuators, these intelligent edge devices might expose sensitive workloads that were previously run only in protected cloud or on-premises environments.
19
19
20
20
The [IoT Edge security manager](iot-edge-security-manager.md) addresses one piece of the confidential computing challenge. The security manager uses a hardware security module (HSM) to protect the identity workloads and ongoing processes of an IoT Edge device.
21
21
22
-
Another aspect of confidential computing is protecting the data in use at the edge. A *Trusted execution environment (TEE)* is a secure, isolated environment on a processor and is sometimes referred to as an *enclave*. A *confidential application* is an application that runs in an enclave. Because of the nature of enclaves, confidential applications are protected from other apps running in the main processor or in the TEE.
22
+
Another aspect of confidential computing is protecting data in use at the edge. A *trusted execution environment (TEE)* is a secure, isolated environment on a processor, sometimes referred to as an *enclave*. A *confidential application* is an application that runs in an enclave. Because of the nature of enclaves, confidential applications are protected from other apps running in the main processor or in the TEE.
23
23
24
24
## Confidential applications on IoT Edge
25
25
26
-
Confidential applications are encrypted in transit and at rest, and only decrypted to run inside a trusted execution environment. This standard holds true for confidential applications deployed as IoT Edge modules.
26
+
Confidential applications are encrypted during transit and at rest, and decrypted only to run inside a trusted execution environment. This standard holds true for confidential applications deployed as IoT Edge modules.
27
27
28
-
The developer creates the confidential application and packages it as an IoT Edge module. The application is encrypted before being pushed to the container registry. The application remains encrypted throughout the IoT Edge deployment process until the module is started on the IoT Edge device. Once the confidential application is within the device's TEE, it is decrypted and can begin executing.
28
+
Developers create confidential applications and package them as IoT Edge modules. The application is encrypted before it is pushed to the container registry. The application remains encrypted throughout the IoT Edge deployment process until the module is started on the IoT Edge device. Once the confidential application is within the device's TEE, it is decrypted and can begin executing.
29
29
30
-
:::image type="content" source="./media/deploy-confidential-applications/confidential-applications-encrypted.png" alt-text="Diagram that shows confidential applications are encrypted within IoT Edge modules until deployed into the secure enclave.":::
30
+
:::image type="content" source="./media/deploy-confidential-applications/confidential-applications-encrypted.png" alt-text="Diagram showing that confidential applications are encrypted within IoT Edge modules until deployed into the secure enclave.":::
31
31
32
-
Confidential applications on IoT Edge are a logical extension of[Azure confidential computing](../confidential-computing/overview.md). Workloads that run within secure enclaves in the cloud can also be deployed to run within secure enclaves at the edge.
32
+
Confidential applications on IoT Edge extend[Azure confidential computing](../confidential-computing/overview.md). Workloads that run within secure enclaves in the cloud can also be deployed to run within secure enclaves at the edge.
33
33
34
34
## Open Enclave
35
35
36
-
The [Open Enclave SDK](https://openenclave.io/sdk/) is an opensource project that helps developers create confidential applications for multiple platforms and environments. The Open Enclave SDK operates within the trusted execution environment of a device, while the Open Enclave API acts as an interface between the TEE and the non-TEE processing environment.
36
+
The [Open Enclave SDK](https://openenclave.io/sdk/) is an open-source project that lets developers create confidential applications for multiple platforms and environments. The Open Enclave SDK operates within the trusted execution environment (TEE) of a device, while the Open Enclave API acts as an interface between the TEE and the non-TEE processing environment.
37
37
38
-
Open Enclave supports multiple hardware platforms. IoT Edge support for enclaves currently requires the Open Portable TEE operating system (OP-TEE OS). To learn more, see [Open Enclave SDK for OP-TEE OS](https://github.com/openenclave/openenclave/blob/master/docs/GettingStartedDocs/OP-TEE/Introduction.md).
38
+
Open Enclave supports multiple hardware platforms. IoT Edge support for enclaves requires the Open Portable TEE operating system (OP-TEE OS). To learn more, see [Open Enclave SDK for OP-TEE OS](https://github.com/openenclave/openenclave/blob/master/docs/GettingStartedDocs/OP-TEE/Introduction.md).
39
39
40
-
The Open Enclave repository also includes samples to help developers get started. For more information, choose one of the introductory articles:
40
+
The Open Enclave repository includes samples to help developers get started. For more information, select one of the introductory articles:
41
41
42
42
*[Building Open Enclave SDK samples on Linux](https://github.com/openenclave/openenclave/blob/master/samples/BuildSamplesLinux.md)
43
43
*[Building Open Enclave SDK samples on Windows](https://github.com/openenclave/openenclave/blob/master/samples/BuildSamplesWindows.md)
0 commit comments