Skip to main content

Architecture

Each Polaris container includes an instance of the Polaris Secure Proxy and the client workload container. Refer to the diagram below for a visual representation.

Polaris Architecture

Trusted Execution Environment (TEE)

The Polaris Container is designed to run inside a Trusted Execution Environment (TEE) to ensure data is encrypted at all times, including while in use. This is achieved by provisioning Polaris within a Confidential Virtual Machine (CVM) based on AMD SEV-SNP technology. The exact implementation varies depending on the Cloud Service Provider in use. For more details, see the Cloud Providers documentation.

Confidential Virtual Machines provide full memory encryption with minimal overhead. This ensures that data in the machine's memory is protected against a malicious hypervisor or other VMs running on the same host. The encryption is hardware-based and does not require any changes to the workload running inside the VM.

Client Workload

The client workload runs as a Docker container inside the TEE. You can configure the Docker image to be used inside the Polaris container, along with environment variables, the entrypoint command, and parameters. Polaris handles the creation of the Docker container and its network configuration. In most cases, no modifications to your workload are required, as all HTTP communication between the workload and the proxy is transparently encrypted.

For details on how to configure the client workload, see the Client Workload Configuration documentation.

Polaris Secure Proxy

The Polaris Secure Proxy operates as an HTTP proxy server in front of the client workload. It is implemented in TypeScript using the efficient express-http-proxy library. The proxy can be configured to enable transparent decryption of incoming requests and encryption of responses for secure communication.

The proxy also manages access to the private keys used for decrypting data inside the TEE. Specifically, the proxy provisions an ephemeral 4096-bit RSA public/private key pair, which is stored in memory. The private key is only accessible within the TEE and is never exposed externally. This key changes each time the Polaris container restarts, so it cannot be used for encrypting data intended for permanent storage. If your use case requires permanent data encryption, see Polaris Pro.

For details on configuring the Polaris Secure Proxy, refer to the Polaris Secure Proxy documentation.