A Trusted Execution Domain (TED) is an encrypted virtual machine implemented with Intel TDX technology. The abbreviation TDX is an Intel term that stands for Trusted Domain firmware eXtensions.
The underlying chip technology encrypts all data and machine commands in your software as soon as they leave the central processing unit (CPU) — even when they are written to the system bus, and further into the RAM. The keys used are only accessible to the CPU. This is a significant step toward improving IT security. It means that vulnerabilities in the operating system can no longer be exploited by attackers to compromise integrity and confidentiality. Even insider attacks on these cornerstones of IT security are no longer possible at this point.
To ensure that this function can be used safely, the integrity and, indirectly, the trustworthiness of each TED must be guaranteed. In order to perform integrity checks automatically, both the host operating system and the guest operating systems must be configured accordingly. This enables secure boot and software signature checks to be performed. For each TED, an attestation is performed to determine whether the hardware can be trusted to start the TED (remote attestation), which can also be performed independently of BetterEdge for confirmation purposes.
To enable this secure operation of TEDs, the BetterEdge Control software also uses Intel's underlying “Software Guard eXtension (SGX)” technology, which directly protects the computing processes. While a TED is accessible to you as an administrator, SGX-protected processes do not allow administrator access and therefore prevent misuse of this privilege.
The SGX and TDX confidential computing technologies have been further developed since 2013 and have now reached a robust level of maturity, according to the respective status reports from Intel that are queried during the attestation process.
Finally, BetterEdge TEDs also automatically encrypt all data stored in the storage area associated with the TED. This makes TEDs particularly easy to use, as in many cases there is no need to worry about encrypting the data to be persisted. If this is the case, however, particularly secure and automatically managed keys are available.
To achieve high availability, it does not make sense to rely on a single TED. For this purpose, so-called TED clusters can be set up, which are connected to each other via virtual networking. The individual TEDs of a TED cluster are selected from different BetterEdge modules in separate availability zones.
For larger software packages, TEDs with multiple virtual cores, lots of RAM, and lots of storage can also be created.
Various Linux distributions and versions are available as guest operating systems.
If you enter your contact details in the form below, agree to the privacy policy, and consent to us contacting you if necessary, our operations department will send you a registration link. You can test the service free of charge for 14 days as standard. However, we are also happy to arrange a longer trial period.
