Preview · Confidential compute

Signed only inside the enclave.

A request is filtered, enters the TDX cluster, and is signed by a 2-of-3 set of enclaved signers — but only after remote attestation and the Key Broker releases the key.

HTTPS filtered mTLS attest verify release key broadcast logs Data Center #1Trusted Domain (TEE)Baremetal · TDX Client WAF Reverse-proxy Gateway Kong Control plane k8s Signer #1 Kata VM Reference Value Provider Vault secrets Attestation Service Signer #2 Kata VM Signer #3 Kata VM Key Broker Service Blockchain Nodes Monitoring SIEM

Internal preview — not linked in navigation. Hover a node to highlight; flow pulses pause off-screen and freeze under reduced-motion. Isometric icons: generic Isoflow pack.