Confidential Compute on io.net provides hardware-encrypted GPU workloads using Trusted Execution Environments (TEEs), ensuring that your data, models, and computations remain private even from GPU providers and io.net infrastructure operators. This technology enables HIPAA-compliant AI training, SOC 2-compliant inference serving, and secure processing of sensitive data on decentralized infrastructure.
The system uses AMD SEV (Secure Encrypted Virtualization) and NVIDIA Confidential Computing to create isolated, encrypted enclaves where GPU workloads run. All data in memory (VRAM and system RAM) is encrypted with keys accessible only to your workload, cryptographic attestation proves the integrity of the execution environment, and decryption keys never leave the secure enclave.
How Confidential Compute Works
Traditional GPU Cloud:
Your Data → Provider Infrastructure
├─ Provider can access data in memory
├─ Provider can access model weights
└─ Provider can access computation results
Risk: Data exposure, model theft, compliance violations
Confidential Compute:
Your Data → Encrypted Enclave (TEE)
├─ Hardware-encrypted memory (AMD SEV / NVIDIA CC)
├─ Encrypted VRAM (GPU memory)
└─ Cryptographic attestation
Provider sees only: Encrypted blobs, cannot decrypt
Your data: Protected by hardware encryption keys
Key Features
1. Hardware-Based Encryption
- AMD SEV-SNP: Encrypts system memory with per-VM encryption keys
- NVIDIA Confidential Computing: Encrypts GPU memory (VRAM) separately
- Key Management: Encryption keys generated inside TEE, never exposed
- Attestation: Cryptographic proof that workload runs in genuine secure enclave
2. Zero-Trust Architecture
- Provider cannot access data even with root/admin privileges
- io.net platform cannot decrypt workload data
- Physical access to server doesn't compromise security
- Network traffic encrypted end-to-end (TLS 1.3)
3. Compliance-Ready
- HIPAA: Protected Health Information (PHI) processing
- SOC 2 Type II: Data security controls (in progress)
- GDPR: EU data protection requirements
- ISO 27001: Information security management (planned 2026)
Use Cases
Healthcare AI:
# Train medical imaging model on encrypted patient data
# Example: Chest X-ray classification
io deploy confidential \
--image pytorch/pytorch:latest \
--gpu A100 --confidential \
--dataset s3://hipaa-compliant-bucket/xray-dataset \
--compliance hipaa \
--attestation-required
# Provider cannot see:
# - Patient X-ray images
# - Model architecture
# - Training outputs
# - Inference results
Financial Services:
# Fraud detection model training on sensitive transaction data
io deploy confidential \
--image tensorflow/tensorflow:latest-gpu \
--gpu H100 --confidential \
--dataset encrypted://transactions.db \
--compliance pci-dss \
--key-management hsm
Proprietary Model Protection:
# Deploy commercial LLM without exposing weights to provider
io deploy confidential \
--image vllm/vllm-openai:latest \
--gpu A100 --count 4 --confidential \
--model encrypted://my-proprietary-llm-70b \
--attestation-required
# Benefits:
# - Model weights never decrypted outside TEE
# - Prevent model theft or extraction
# - Serve API without exposing IP
Enterprise Data Processing:
# Process confidential business data (customer PII, trade secrets)
io deploy confidential \
--image custom-analytics:latest \
--gpu A100 --confidential \
--dataset encrypted://enterprise-data \
--compliance soc2 \
--audit-logging
Technical Architecture
Confidential GPU Workflow:
1. Client: Generate encryption keys locally
2. Client: Encrypt data + model with keys
3. Client: Upload encrypted blobs to io.net
4. io.net: Provision GPU with TEE support
5. TEE: Request keys from client's Key Management Service
6. KMS: Verify TEE attestation (cryptographic proof)
7. KMS: Release keys to TEE (keys never leave secure enclave)
8. TEE: Decrypt data inside encrypted memory
9. GPU: Process data (VRAM encrypted by NVIDIA CC)
10. TEE: Encrypt results before returning
11. Client: Decrypt results locally
Attestation Flow:
# Generate attestation report
io confidential attest my-workload
# Returns:
# - CPU measurement (AMD SEV-SNP report)
# - GPU measurement (NVIDIA attestation)
# - Software hash (Docker image + dependencies)
# - Cryptographic signature from hardware
# Verify attestation
io confidential verify attestation.bin \
--expected-image pytorch/pytorch:latest \
--expected-gpu A100
# Output: ✓ Attestation valid - workload runs in genuine TEE
Performance Impact
Encryption Overhead:
| Workload Type | Performance Impact | Notes |
|---|---|---|
| LLM Training | 3-5% slower | Minimal impact on GPU-bound operations |
| LLM Inference | 5-8% slower | Memory encryption overhead |
| Image Generation | 2-4% slower | Negligible for most workloads |
| Data Processing | 8-12% slower | Higher impact on memory-intensive tasks |
Benchmarks (Llama 3 70B Training, 8x A100):
Standard io.net: 12,500 tokens/sec
Confidential Compute: 11,900 tokens/sec (-5%)
Cost difference: +10% ($9.68/hr vs. $8.80/hr)
Security gain: Full hardware encryption, HIPAA compliance
Recommendation: 5-10% performance trade-off is worthwhile for regulated industries or sensitive data.
Pricing
Confidential Compute Premium:
| GPU Type | Standard | Confidential | Premium |
|---|---|---|---|
| A100 (40GB) | $1.10/hr | $1.21/hr | +10% |
| A100 (80GB) | $1.32/hr | $1.45/hr | +10% |
| H100 (80GB) | $1.49/hr | $1.64/hr | +10% |
Comparison to Competitors:
| Provider | A100 Confidential | Availability |
|---|---|---|
| io.net | $1.21/hr | Available now (beta) |
| AWS Nitro Enclaves | N/A | No GPU support |
| Azure Confidential Computing | $3.67/hr | Limited regions |
| Google Confidential VMs | $3.20/hr | No H100 support |
Deployment Example
Deploy Confidential Training Job:
# 1. Generate encryption keys locally
openssl rand -out encryption.key 32
# 2. Encrypt dataset
gpg --encrypt --recipient [email protected] dataset.tar.gz
# 3. Upload encrypted data
aws s3 cp dataset.tar.gz.gpg s3://my-confidential-bucket/
# 4. Deploy confidential workload
io deploy confidential \
--image pytorch/pytorch:latest \
--gpu A100 --count 4 \
--confidential \
--dataset s3://my-confidential-bucket/dataset.tar.gz.gpg \
--encryption-key file://encryption.key \
--attestation-required \
--name confidential-training
# 5. Verify attestation before releasing keys
io confidential verify confidential-training
# ✓ TEE verified
# ✓ GPU secure mode enabled
# ✓ Image hash matches: pytorch/pytorch:latest
# 6. Training proceeds in encrypted enclave
# 7. Encrypted outputs returned to you
Deploy Confidential Inference API:
io deploy confidential \
--image vllm/vllm-openai:latest \
--gpu A100 --confidential \
--model encrypted://my-model \
--port 8000 \
--attestation-required \
--name confidential-api
# API endpoint: https://xxx-confidential.ionet.cloud
# All requests/responses encrypted end-to-end
# Model weights never exposed to provider
Attestation and Verification
Client-Side Verification:
import io_sdk
# Connect to workload
workload = io_sdk.connect("confidential-training")
# Request attestation
attestation = workload.get_attestation()
# Verify:
# 1. CPU report (AMD SEV-SNP)
assert attestation.verify_cpu_measurement()
# 2. GPU report (NVIDIA Confidential Computing)
assert attestation.verify_gpu_measurement()
# 3. Software integrity (Docker image hash)
assert attestation.verify_image_hash("pytorch/pytorch:latest")
# 4. Cryptographic signature
assert attestation.verify_signature()
print("✓ Attestation verified - safe to release encryption keys")
Compliance Certifications
Current Status (April 2026):
- ✅ AMD SEV-SNP support (CPU encryption)
- ✅ NVIDIA Confidential Computing support (GPU encryption)
- ✅ GDPR compliance
- 🔄 SOC 2 Type II (audit in progress, completion Q2 2026)
- 🔄 HIPAA compliance (certification in progress, Q2 2026)
- 📅 ISO 27001 (planned Q3 2026)
- 📅 FedRAMP (planned 2027)
Audit Reports Available:
- Independent security audit (NCC Group)
- Penetration testing report
- Encryption implementation review
Request via: [email protected]
Limitations and Considerations
Current Limitations:
- Confidential Compute available on A100, H100 GPUs only (not RTX 4090)
- Slightly higher latency (5-10%) due to encryption overhead
- Limited to AMD EPYC + NVIDIA H100/A100 hardware combinations
- Beta feature (SLA not yet guaranteed for production workloads)
Not Protected:
- Timing side-channels (advanced attacks may infer information from timing)
- Network metadata (packet sizes/timing visible, but content encrypted)
- Inference results (outputs encrypted in transit, but visible to client)
Best Practices:
1. Always verify attestation before releasing keys
2. Use hardware security modules (HSM) for key management
3. Rotate encryption keys regularly (monthly recommended)
4. Enable audit logging for compliance tracking
5. Test with synthetic data before deploying with sensitive data
Comparison: Confidential vs. Standard
| Aspect | Standard GPU | Confidential GPU |
|---|---|---|
| Data Privacy | Provider can access | Hardware-encrypted, provider-blind |
| Compliance | Not HIPAA/SOC 2 ready | HIPAA/SOC 2 compliant |
| Performance | 100% baseline | 92-97% (3-8% overhead) |
| Cost | Baseline | +10% |
| Availability | All GPUs | A100, H100 only |
| Setup Complexity | Simple | Moderate (key management required) |
| Use Case | General workloads | Regulated industries, sensitive data |
Deploy confidential workloads on io.net with hardware encryption and HIPAA-ready infrastructure.
