Trust No One Secure Storage with Confidential Cont - Common Knowledge Scout

# Secure Storage with Confidential Containers > [! note]- > The content of this page is generated by audio/video transcription and text transformation from the content and links of this source. Source: [https://fosdem.org/2025/schedule/event/fosdem-2025-5299-trust-no-one-secure-storage-with-confidential-containers/](https://fosdem.org/2025/schedule/event/fosdem-2025-5299-trust-no-one-secure-storage-with-confidential-containers/) <video src="https://video.fosdem.org/2025/k4401/fosdem-2025-5299-trust-no-one-secure-storage-with-confidential-containers.av1.webm" controls></video> ## Summary & Highlights: The session 'Trust No One: Secure Storage with Confidential Containers' at FOSDEM 2025 addresses the challenge of secure data storage in cloud environments. It introduces Confidential Containers (CoCo), a CNCF project leveraging Trusted Execution Environments (TEEs) to provide secure storage solutions across cloud providers. The session highlights the implementation of trusted storage within CoCo, focusing on Kubernetes storage drivers, device virtualization, and attestation for secure key release and data encryption. It also demonstrates preventing data injection into TEEs using the CNCF Rego policy language. **Introduction to Confidential Containers** Confidential Containers, or CoCo, is a project under the Cloud Native Computing Foundation (CNCF) aimed at enhancing data security in cloud environments. By utilizing Trusted Execution Environments (TEEs), CoCo ensures that sensitive data remains confidential and secure, even when stored or processed in potentially untrusted cloud settings. **Implementation of Secure Storage** The session delves into the technical implementation of secure storage within CoCo. It discusses the role of Kubernetes storage drivers and device virtualization in facilitating seamless deployment across different cloud providers. The importance of attestation in securing key releases and encrypting data is also emphasized, ensuring that only authorized entities can access sensitive information. **Preventing Data Injection Attacks** A significant aspect of the session is the demonstration of how the CNCF Rego policy language is used to prevent attackers from injecting malicious data into the TEE. This ensures the integrity and confidentiality of the data stored within confidential containers, safeguarding it from unauthorized access or tampering. **Demonstration and Practical Applications** The session includes a practical demonstration showcasing the deployment and operation of confidential containers. Participants witness firsthand how these containers operate within a Kubernetes environment, emphasizing the ease of integration and the robust security features provided by CoCo. **Conclusion and Future Directions** The session concludes with a discussion on the future directions of the CoCo project, including ongoing efforts to enhance persistent storage solutions and address potential vulnerabilities. Attendees are encouraged to contribute to the project, fostering a collaborative effort towards more secure cloud computing solutions. ## Importance for an eco-social transformation Confidential Containers play a crucial role in eco-social transformation by ensuring data security and privacy in cloud environments. This is particularly important for organizations handling sensitive information, such as environmental and social organizations, where data breaches could have significant ethical and social implications. For eco-social designers, the tools and methods demonstrated, such as Kubernetes integration and secure storage solutions, can be adapted to create secure, community-oriented digital platforms. Challenges include ensuring widespread adoption across different cloud providers and addressing potential technical and social hurdles, such as user awareness and policy compliance. Continued collaboration and open-source contributions are essential to overcoming these challenges and advancing towards more secure and sustainable cloud computing practices. ## Slides: | | | | --- | --- | | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_001.jpg\|300]] | The first slide introduces the session titled 'Trust No One: Secure Storage for Confidential Containers,' presented by Aurélien Bombo. It highlights the collaboration between Confidential Containers, Kata Containers, and Microsoft, setting the stage for a discussion on secure storage solutions. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_002.jpg\|300]] | This slide defines what a confidential container is, contrasting it with runC containers and highlighting the role of Kata Containers and Trusted Execution Environments (TEEs). It emphasizes the integration with Kubernetes for container orchestration and the importance of remote attestation and security policies. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_003.jpg\|300]] | The slide focuses on the concept of 'Untrusted' environments, likely referring to the potential risks associated with cloud storage and the need for secure solutions like Confidential Containers to protect sensitive data. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_004.jpg\|300]] | This slide discusses ephemeral storage, which is short-lived data storage that doesn't fit in memory. It outlines goals such as confidentiality and Kubernetes integration, and describes the design process of creating a block device on the host, passing it to the VM, and encrypting it inside the VM. The challenge of securing the VM boundary with a security policy is also highlighted. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_005.jpg\|300]] | The slide appears to continue discussing the technical details of implementing secure storage in confidential containers, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_006.jpg\|300]] | This slide likely discusses the use of virtio-blk, a virtualization technology for block devices, in the context of secure storage for confidential containers. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_007.jpg\|300]] | The slide outlines the use of dm-crypt and dm-integrity by the Confidential Data Hub (CDH) to ensure data encryption and integrity within confidential containers. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_008.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_009.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_010.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_011.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_012.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_013.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_014.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_015.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_016.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_017.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_018.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_019.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_020.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_021.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_022.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_023.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_024.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_025.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_026.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_027.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_028.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_029.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_030.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_031.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_032.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_033.jpg\|300]] | This slide introduces persistent storage, building on ephemeral storage. It notes that the final design is to be determined, and highlights key differences such as the use of a CSI driver and a Key Broker Service. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_034.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_035.jpg\|300]] | This slide invites questions from the audience, indicating the session's conclusion and opening the floor for discussion. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_036.jpg\|300]] | This slide provides links to resources related to the session, including a pull request for implementing confidential ephemeral storage, the Confidential Containers website, and GitHub repositories. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_037.jpg\|300]] | The slide discusses policy validation, referencing a proposal for container metadata validation on GitHub. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_038.jpg\|300]] | This slide reiterates the use of dm-crypt and dm-integrity by the Confidential Data Hub (CDH) for ensuring data encryption and integrity. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_039.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_040.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_041.jpg\|300]] | This slide discusses ephemeral models, likely in the context of secure storage solutions for confidential containers. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_042.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_043.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_044.jpg\|300]] | This slide discusses persistent models, likely in the context of secure storage solutions for confidential containers. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_045.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_046.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_047.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_048.jpg\|300]] | This slide discusses verifying encryption settings, likely in the context of ensuring secure storage solutions within confidential containers. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_049.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_050.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_051.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_052.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_053.jpg\|300]] | This slide discusses generating security policies, likely in the context of securing confidential containers and their storage solutions. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_054.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_055.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_056.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_057.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_058.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_059.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_060.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. | ![[FOSDEM 2025/assets/Trust-No-One-Secure-Storage-with-Confidential-Cont/preview_061.jpg\|300]] | The slide continues the discussion on secure storage solutions, though specific content is not provided. ## Links [Slides](https://fosdem.org/2025/events/attachments/fosdem-2025-5299-trust-no-one-secure-storage-with-confidential-containers/slides/237954/bombo-sec_RLJLux0.pdf) [Video recording (AV1/WebM)](https://video.fosdem.org/2025/k4401/fosdem-2025-5299-trust-no-one-secure-storage-with-confidential-containers.av1.webm) [Video recording (MP4)](https://video.fosdem.org/2025/k4401/fosdem-2025-5299-trust-no-one-secure-storage-with-confidential-containers.av1.mp4)