Confidential Containers logo and wordmark

What are Confidential Containers?

Confidential Containers (CoCo) is a new sandbox project of the Cloud Native Computing Foundation (CNCF) that enables cloud-native confidential computing by taking advantage of a variety of hardware platforms and technologies. The project brings together software and hardware companies including Alibaba-cloud, AMD, ARM, IBM, Intel, Microsoft, Red Hat, Rivos and others.

The CoCo project builds on existing and emerging hardware security technologies such as Intel SGX, Intel TDX, AMD SEV and IBM Z Secure Execution, in combination with new software frameworks to help better secure user data in use. This will establish a new level of confidentiality, which does not rely on trust in the cloud providers and their employees, but on hardware-level cryptography. CoCo will support multiple environments including public clouds, on-premise and edge computing.

The goal of the CoCo project is to standardize confidential computing at the container level and simplify its consumption in Kubernetes. This is in order to enable Kubernetes users to deploy confidential container workloads using familiar workflows and tools without extensive knowledge of underlying confidential computing technologies.


Latest posts

Confidential computing primer

May 2, 2023 - Christophe de Dinechin, David Gilbert, James Bottomley

This article is the first in a six-part series in which we present various usage models for confidential computing, a set of technologies designed to protect data in use—for example by using memory encryption—and the requirements to get the expected security and trust benefits from t​​he technology...read more

Deploying confidential containers on the public cloud

April 14, 2023 - Jens Freimann, Suraj Deshmukh, Amar Gowda, Ariel Adam, Pradipta Banerjee

In this article we will describe how Microsoft and Red Hat are collaborating in the open source community to show how Red Hat OpenShift can be deployed on Azure Confidential Computing for providing confidential container capabilities to its users...read more

How to use Confidential Containers without confidential hardware

March 6, 2023 - Wainer dos Santos Moschetta, Steve Horsman

The CoCo community recognizes that not every developer has access to TEE-capable machines and we don't want this to be a blocker for contributions. So version 0.1.0 and later come with a custom runtime that lets developers play with CoCo on either a simple virtual or bare-metal machine. In this tutorial you will learn: How to install CoCo and create a simple confidential pod on Kubernetes, and the main features that keep your pod confidential…read more

Understanding the Confidential Containers Attestation Flow

December 2, 2022 - Pradipta Banerjee, Samuel Ortiz

This article describes the hardware-based attestation flows and processes that the Confidential Containers project is built upon. With hardware-based attestation, a confidential computing processor generates cryptographic evidence for a workload-running environment. Provided that the workload owner trusts that piece of hardware, they can then remotely verify that evidence and decide if the workload’s execution environment is trustworthy or not…read more

What is the Confidential Containers project?

October 7, 2022 - Pradipta Banerjee, Christophe de Dinechin, Ariel Adam, Jochen Schroder, Martin Tessun

Confidential Containers (CoCo) is a new sandbox project of the Cloud Native Computing Foundation (CNCF) that enables cloud-native confidential computing by taking advantage of a variety of hardware platforms and technologies…read more