Skip to main content

Enarx

Enarx is an open-source framework for deploying applications into hardware-based Trusted Execution Environments (confidential computing) without requiring code modification.

  • Runtime and deployment framework for Trusted Execution Environments (confidential computing)
  • Support for multiple enclave technologies such as Intel SGX and AMD SEV (confidential-computing infrastructure)
  • WebAssembly-based application execution model for TEEs (runtime / application sandboxing)
  • Remote attestation and secure workload lifecycle management (security / workload protection)
  • Abstraction layer that hides hardware- and vendor-specific TEE details from developers and operators (infrastructure abstraction)

More About Enarx

Enarx focuses on confidential computing (security / confidential-computing), providing a framework to run workloads inside Trusted Execution Environments (TEEs) so that data and code remain protected from access by infrastructure operators, cloud providers, or other tenants. The project addresses the problem of protecting data in use, complementing traditional controls for data at rest and data in transit. It targets scenarios where enterprises need to process sensitive information on shared or untrusted infrastructure while maintaining hardware-enforced isolation.

The Enarx architecture provides an abstraction over different TEE backends (confidential-computing infrastructure), including hardware technologies such as Intel Software Guard Extensions (Intel SGX) and AMD Secure Encrypted Virtualization (AMD SEV), as documented through the project’s official materials and its association with the Confidential Computing Consortium. By presenting a consistent deployment and runtime model, Enarx enables workloads to run in various confidential-computing environments without requiring application changes for each hardware implementation.

At the application layer, Enarx relies on WebAssembly (runtime / application sandboxing) as the primary execution format. Applications are compiled to WebAssembly modules and then deployed into Enarx “Keeps,” which are isolated execution environments backed by TEEs. This model allows developers to use multiple programming languages that target WebAssembly and then run them within a hardware-isolated context. The WebAssembly runtime inside the Keep manages system calls, I/O, and interaction with the host while maintaining a constrained and auditable interface.

For enterprise and institutional environments, Enarx supports remote attestation workflows (security / attestation), enabling relying parties to verify that a workload is running inside a genuine TEE with an expected configuration before releasing secrets or initiating transactions. This capability aligns with confidential computing use cases such as secure multi-tenant workloads, protection of cryptographic keys, and privacy-preserving processing of regulated data. Operators can integrate Enarx into existing deployment pipelines to treat TEEs as another target environment.

Enarx interacts with underlying platform capabilities provided by Central Processing Unit (CPU) vendors and cloud providers (cloud infrastructure / virtualization), but it presents a uniform Application Programming Interface (API) and operational model to application owners. It fits into enterprise architectures as a layer between application code and TEE hardware, categorized under confidential-computing frameworks, secure runtime environments, and workload protection platforms. Through its participation in the Confidential Computing Consortium, Enarx aligns with consortium-defined terminology and models for protecting data in use, and contributes an implementation that enterprises can evaluate or adopt as part of their confidential computing strategies.