What is STACKIT Confidential Kubernetes?
STACKIT Confidential Kubernetes extends standard Kubernetes with hardware-based Trusted Execution Environments (TEEs). Each pod runs with encrypted memory based on AMD SEV-SNP or Intel TDX. Even with Kubernetes compromise, data remains encrypted as encryption occurs at hardware level.
Core Features
- AMD SEV-SNP and Intel TDX for memory encryption
- Remote attestation for trust verification
- Kata Containers and gVisor runtimes
- KMS integration for encrypted secrets
- Standard Kubernetes APIs without code changes
Typical Use Cases
Regulated industries: Banking, healthcare, and government with DORA, PCI-DSS, or HIPAA requirements.
Multi-party computation: Joint data analysis across organizations without data sharing.
Sensitive AI/ML: Training on confidential data where even cloud admins have no access.
Benefits
- Hardware encryption closes the gap between at-rest and in-transit
- Zero-trust: Even cloud provider cannot read data
- Standard container images run without modification
- Attestation proves workload integrity cryptographically
Integration with innFactory
As an official STACKIT partner, innFactory supports you with Confidential Kubernetes: architecture, migration, operations, and cost optimization.
Available Tiers & Options
Confidential
- Hardware encryption
- Attestation
- Zero-trust architecture
- Performance overhead (5-10%)
- Limited instance types
Typical Use Cases
Technical Specifications
Frequently Asked Questions
What is Confidential Computing?
Hardware-based Trusted Execution Environments (TEEs) encrypt data during processing. Even admins cannot read RAM.
What performance overhead occurs?
5 to 10% typical. Memory encryption has minimal overhead thanks to hardware acceleration.
Can I verify workload integrity?
Yes. Remote attestation enables cryptographic verification that pods run in genuine TEEs.
What compliance standards are met?
GDPR, NIS2, BSI C5, ISO 27001, DORA, and PCI-DSS through combination of German data residency and hardware encryption.
