Intel SGX: Secure Data & Trusted Execution

Intel SGX (Software Guard Extensions) is a CPU-based security technology introduced with the Skylake processors. SGX adds an extra layer of protection, preventing even privileged malware from accessing sensitive data.

Whether in on-premises, public, private, or hybrid cloud environments, Intel SGX creates a trusted environment for processing critical information.

PhoenixNAP Bare Metal Cloud offers servers with SGX support to ensure maximum data security.

Requirements for Using Intel SGX ​

To use Intel SGX, your system must meet these requirements:

• Intel CPU with SGX support
• BIOS with Intel SGX enabled
• SGX setting in BIOS set to Enabled or Software Controlled
• Installation of the Intel SGX Platform Software package

What is Intel SGX? ​

Intel SGX allows applications to run in isolated memory regions, reducing the risk of internal and external attacks.

Key features include:

• Prevents data modification and deletion
• Prevents data disclosure
• Enhances application code security

This is achieved by encrypting memory portions, ensuring sensitive data remains safe even if the system is compromised.

---

What is an SGX Enclave? ​

Enclaves are secure, isolated memory areas within the CPU, protecting sensitive application data.

• Code and data are only accessible inside the enclave
• CPU automatically encrypts the data and stores the key internally
• Even physical access cannot compromise the data

This ensures that not even cloud providers or attackers can access protected information.

---

How Intel SGX Works ​

Every SGX application has two parts:

1. Untrusted part - Handles enclave creation and communication
2. Trusted part - Stores the enclave and processes sensitive data securely

Workflow:

• Trusted code runs in the enclave
• Data outside the enclave is encrypted
• Decryption occurs only within the enclave on the same CPU

This ensures complete data confidentiality and integrity.

---

When to Use Intel SGX ​

Intel SGX is ideal for confidential computing across industries:

• Finance & Insurance
• Healthcare & Social Care
• Military
• Commerce

It allows secure data sharing across organizations, with control over who can access what information and for how long.

Intel SGX Supported CPUs ​

• Xeon Scalable processors (from Q3 2015 onward)
  • Intel® Xeon® E-2288G
  • Intel® Xeon® Gold 6326
  • Intel® Xeon® Platinum 8352Y
• Most 6th generation Intel Core CPUs (desktop & mobile) also support SGX

Check the Intel product search page to verify SGX support for your CPU.

How to Enable Intel SGX in BIOS ​

SGX can be enabled in BIOS if supported:

• Disabled - Default, SGX cannot be used
• Enabled - SGX is active, ensure PRMRR configuration is correct
• Software Controlled - Applications can request SGX activation

Locate SGX under Advanced -> CPU Configuration in UEFI BIOS, or under Configuration in legacy BIOS.

Intel SGX Benefits ​

• Enhanced security for sensitive data, including biometric and authentication information
• Protection from threats targeting BIOS, system components, and root users
• Data sealing ensures intellectual property remains safe even outside enclaves
• Supports scalable trusted server clusters without compromising security

Intel SGX provides peace of mind for businesses needing confidential computing and secure execution.