What is STACKIT Confidential Server?
STACKIT Confidential Server provides virtual machines with hardware-level memory encryption based on AMD SEV-SNP or Intel TDX. The technology encrypts all memory, preventing even cloud administrators or compromised hypervisors from accessing data. As a German cloud provider, STACKIT operates all Confidential Servers in German data centers, ensuring full GDPR compliance.
Core Features
- Hardware Encryption: AMD SEV-SNP and Intel TDX encrypt RAM and CPU registers at chip level
- Remote Attestation: Cryptographic verification that workloads actually run in a TEE
- Zero-Trust Architecture: Isolation from the hypervisor with hardware-based trust anchor
- Sealed Secrets: Keys can be bound to measured VM states
- Transparent Integration: No application code changes required
Typical Use Cases
Financial Services: Processing sensitive financial data under regulatory requirements like DORA. Banks run payment processing and fraud detection with guaranteed protection from cloud provider access.
Healthcare and Patient Data: Analysis of genomic data, CT scans, and electronic health records under HIPAA and GDPR compliance. Hardware encryption meets patient confidentiality requirements even in the cloud.
Law Firms: Processing attorney-client privileged communication and confidential client data. Document review and AI-powered contract analysis with guaranteed confidentiality from the cloud provider.
Benefits
- Data Protection in Use: Closes the gap between encryption at rest and in transit
- GDPR-compliant: German data centers plus hardware isolation meet highest data protection requirements
- Compliance-ready: Meets GDPR Article 32, HIPAA, PCI-DSS, DORA, and BSI C5
- Minimal Overhead: Less than 5% performance impact for most workloads
Integration with innFactory
As an official STACKIT partner, innFactory supports you with Confidential Server: architecture for zero-trust environments, migration of existing workloads, remote attestation integration, and compliance documentation.
Available Tiers & Options
AMD SEV-SNP
- Hardware isolation
- VM-level encryption
- Wide availability
- AMD CPU required
Intel TDX
- Intel platform
- Comparable security
- Limited availability
Typical Use Cases
Technical Specifications
Frequently Asked Questions
How does Confidential Server differ from regular VMs?
Confidential Servers encrypt memory at the hardware level using AMD SEV-SNP or Intel TDX. Even cloud administrators cannot access the data.
Can I migrate existing VMs to Confidential Servers?
Yes, most workloads can be migrated with minimal changes. Encryption is handled transparently by the CPU.
What compliance standards are supported?
Confidential Computing meets GDPR Article 32, HIPAA, PCI-DSS, and DORA requirements for data protection in use.
Is there a performance impact?
Typical overhead is less than 5% for most workloads. Memory-intensive applications may see up to 10% reduction.
Can STACKIT see my data in RAM?
No. Hardware encryption makes it technically impossible for cloud providers to access data in memory.
