Skip to main content

Architecture

Each Polaris container includes an instance of the Polaris Secure Proxy. Refer to the diagram below for a visual representation.

Polaris Architecture

Trusted Execution Environment (TEE)

The Polaris Container is designed to run inside a Trusted Execution Environment (TEE) to ensure data is encrypted at all times, including while in use. This is achieved by provisioning Polaris within a Confidential Virtual Machine (CVM) based on AMD SEV-SNP technology. The exact implementation varies depending on the Cloud Service Provider in use. For more details, see the Cloud Providers documentation.

Confidential Virtual Machines provide full memory encryption with minimal overhead. This ensures that data in the machine's memory is protected against a malicious hypervisor or other VMs running on the same host. The encryption is hardware-based and does not require any changes to the workload running inside the VM.

Polaris Secure Proxy

The Polaris Secure Proxy operates as an HTTP proxy server in front of the client workload. It is implemented in TypeScript using the efficient express-http-proxy library. The proxy can be configured to enable transparent decryption of incoming requests and encryption of responses for secure communication.

With Polaris, the proxy also manages access to the private keys used for decrypting data inside the TEE. Specifically, the proxy provisions an ephemeral 4096-bit RSA public/private key pair, which is stored in memory. The private key is only accessible within the TEE and is never exposed externally. This key changes each time the Polaris container restarts, so it cannot be used for encrypting data intended for permanent storage. If your use case requires permanent data encryption, use Polaris Pro.

For details on configuring the Polaris Secure Proxy, refer to the Polaris Secure Proxy documentation.

Permanent Encryption Key

The proxy also manages access to the private keys used to decrypt data inside the TEE. For Polaris Pro, the proxy connects to an external key management solution that securely stores a 4096-bit RSA private key inside a Hardware Security Module (HSM). The private key is accessed only through an attestation policy, which ensures it is used exclusively inside a TEE. The key management service and attestation policy rely on services provided by the cloud provider. For more information, see the Cloud Providers documentation.

Having a permanent decryption key allows encryption and decryption of data stored permanently in a bucket, on a disk, in a database, or any other storage medium. For implementing encryption and decryption from the workload container, please refer to the Polaris SDK documentation.