Docs / Privacy and Security
What is a secure enclave?
A secure enclave is a sealed, hardware-isolated computing environment where your AI conversations are processed — nobody, not even Tresor, can look inside.
What is a secure enclave?
In a nutshell: A secure enclave is a sealed computing environment — like a room with no windows — where your messages and files are processed. Nobody can look inside, not even Tresor or the company hosting the servers.
The sealed room analogy
Imagine you need a translator to work on a confidential document. Instead of handing the document to the translator in an open office, you:
Place the document inside a sealed, tamper-proof room.
The translator works inside this room with no windows, no cameras, and no microphones.
When done, the translator passes the translated document back through a locked slot.
Nobody outside the room — not the building owner, not the security guards, not you — could observe what happened inside.
That's essentially what a secure enclave does for your Tresor conversations. The AI works inside this sealed environment. Your messages go in encrypted, get processed privately, and the response comes back encrypted.
How it works (without the jargon)
Secure enclaves use special hardware built into modern processors. These processors have a feature that creates an isolated area of memory and computing that's:
Invisible to the operating system — The computer's main software can't peek into the enclave's memory.
Invisible to the cloud provider — Even the engineers running the data center can't access what happens inside.
Invisible to Tresor — Tresor's own team has no way to inspect the enclave's contents.
Tamper-evident — If anyone tries to modify the code running inside the enclave, it produces a different "measurement" that fails verification.
Why this matters for you
Without an enclave, using a cloud AI service requires you to trust that the provider:
Doesn't log your messages
Doesn't train on your data
Doesn't share your data with third parties
Secures their servers properly
With Tresor's enclave approach, you don't need to trust anyone's promises. The hardware itself enforces that your data stays private. If Tresor wanted to read your messages (which we don't), the technology wouldn't allow it.
How Tresor verifies the enclave
Before your data enters the enclave, Tresor performs an attestation check — an independent verification that:
The enclave is genuine (real hardware, not a simulation)
The code running inside is exactly what it should be (not modified)
The enclave's security features are active
This creates a chain of trust from the hardware manufacturer all the way to your browser. The result is shown as a green verification badge in the Tresor interface.
Good to know
Tresor uses enclave technology from multiple providers, ensuring redundancy and the highest available security standards.
The AI models themselves also run inside secure enclaves at Tresor's inference providers.
Attestation checks happen automatically — you don't need to do anything.
You can inspect the attestation details any time by clicking the privacy badge in the prompt box. See Verifying your conversation's privacy.
🔍 Technical detail
Tresor's enclaves run on hardware supporting either:
AMD SEV-SNP (Secure Encrypted Virtualization – Secure Nested Paging): Provides memory encryption and integrity protection at the hardware level.
Intel TDX (Trust Domain Extensions): Similar isolation guarantees via Intel's confidential computing stack.
Attestation is performed via:
Tinfoil: Provides SDK-verified attestation with code measurements, enclave measurements, TLS certificate fingerprints, and bundle hashes. Tresor verifies these against known-good values.
RedPill/Phala: Provides TDX-based attestation quotes with MRTD measurements and signing address tracking.
Both providers publish attestation evidence that Tresor's enclave independently verifies. The verification results are signed as JWS (JSON Web Signature, ES256) receipts and stored as immutable records.
The underlying technology is part of the Confidential Computing standard promoted by the Confidential Computing Consortium, an industry group that includes AMD, Intel, Microsoft, Google, and others.
Related articles
How Tresor protects your privacy — The full privacy picture.
Verifying your conversation's privacy — Check the cryptographic proof yourself.
Glossary — Definitions of attestation, TEE, encryption, and more.
Was this helpful?