Introduction to Trusted Execution Environments (TEEs)

Imagine you have a safety deposit box that contains something extremely valuable to you. The safety deposit box is locked and stored securely in a bank vault, and only you have the key. When you need access to the item, the box is moved to a private, even more secure room, where only you can use your key to open it and handle the contents. After you’re done, the box is returned to the vault, and the private room is secured again. This way, your valuable item is never exposed outside of the secure environment.

Trusted Execution Environments (TEEs) work similarly in the world of software, and act as that private, super-secure room. They are isolated areas within a system where sensitive data can be handled safely, even if other parts of the system are compromised.

This post will explain the general concepts behind TEEs, explore how they function in mobile devices, and focus on cloud-based TEEs such as AWS Nitro Enclaves. Finally, we’ll discuss how Dynamic leverages TEEs to secure wallet private keys.
‍

TEEs — A Key Part of Modern Security Infrastructure

Trusted Execution Environments (TEEs) offer critical protection for sensitive data, from personal biometrics in smartphones to private keys in cloud-based wallets. As the demand for secure data processing continues to rise, TEEs are becoming an indispensable component of modern security architectures. Whether in consumer devices or enterprise cloud infrastructure, TEEs ensure that sensitive data can be processed without being exposed to potential threats, even in environments where the rest of the system might be compromised.

TEEs are particularly vital as more sensitive information—financial data, healthcare records, and even national security information—moves into cloud-based systems. Their ability to provide hardware-backed isolation, encryption, and verification makes them one of the most robust solutions available for securing data in use.

Without TEEs, organizations would struggle to protect data from increasingly sophisticated attacks, particularly in multi-tenant cloud environments where shared resources and external threats are prevalent. As our reliance on cloud services, decentralized technologies, and digital identities continues to grow, TEEs will play a pivotal role in safeguarding the confidentiality and integrity of the data that powers these systems.

TEEs aren’t just an added layer of protection—they’re a foundational security feature. As the stakes around data security increase, their role in protecting privacy and ensuring trust in digital environments will become more critical than ever.
‍

TEEs in Mobile Devices: Secure Enclaves

Most of us have TEEs in our pockets. That is, most modern smartphones have a TEE (secure enclave) within them for specific secure calculations. These are specialized areas within a device’s processor that handle sensitive tasks like biometric data and payment information.

For example, Apple Secure Enclave: Manages Touch ID, Face ID, and cryptographic functions, operating in a separate environment from the phone’s main operating system.Similarly, Android Trusted Execution Environment: Based on ARM TrustZone, ensures sensitive information, such as DRM content and encryption keys, is processed securely.

Cloud-Based TEEs: AWS Nitro Enclaves

In cloud environments, TEEs like AWS Nitro Enclaves enable secure data processing at scale for developers. AWS Nitro Enclaves are isolated execution environments that operate within Amazon EC2 instances and are ideal for handling highly sensitive data, such as encryption keys and personally identifiable information (PII).

AWS Nitro Enclaves have several key features:

• Isolation: They operate in a tightly controlled, isolated environment (i.e., isolated memory and CPU from a separate kernel to the parent instance) with limited external network access.
• Cryptographic Attestation: Customers can verify that the enclave is operating as expected.
• Secure Data Handling: Data can be encrypted and processed securely without leaving the protected environment.
  ‍

Hardware Structure of AWS Nitro Enclaves

From a hardware perspective, AWS Nitro Enclaves rely on the Nitro hypervisor, which provides the necessary isolation between the parent EC2 instance and the enclave itself. The Nitro system architecture removes unnecessary functionalities like persistent storage, network access, and interactive access (e.g., SSH), reducing the attack surface. Enclaves only have a single, limited connection to the parent EC2 instance via a secure communication channel, which ensures that only essential data can pass between the two. This strict limitation means that enclaves are completely isolated from external networks, including the internet, further ensuring that sensitive data cannot be accessed or leaked outside the enclave environment.

A Note on Attestation in TEEs

One of the critical features of Trusted Execution Environments (TEEs) is attestation. Attestation is a security mechanism that allows external parties to verify that the code running inside a TEE is genuine and hasn’t been tampered with. It involves generating cryptographic proofs that can be validated by third-party systems.

Attestation typically works in three steps:

1. Measurement: When the TEE is initialized, it measures the code and environment configuration running inside it. These measurements, such as hash values of the software and configuration, are securely recorded.
2. Signing: The measurements are then signed by a certificate, typically issued by a trusted authority. This step ensures that the attestation output can be cryptographically verified.
3. Verification: The TEE generates a cryptographic report (attestation) that includes the signed measurements. This report can then be sent to a trusted external entity, which checks the measurements and their signatures against known, trusted values to ensure that the environment is legitimate and secure.

Attestation ensures that sensitive data and operations within the TEE are protected from unauthorized modification, helping to build trust between different components of a system and its users. This is especially important in cloud environments where tenants rely on the infrastructure to be secure and unaltered.
‍

TEEs and Securing Crypto Private Keys

TEEs can also play a crucial role in securing signing activities of crypto private keys. Since private keys are the foundation of all crypto transactions, ensuring their security is vital. By using TEEs for signing activities, private key signing is isolated from the broader system, significantly reducing the risk of exposure due to vulnerabilities in the operating system or application. TEEs also help prevent attacks like side-channel attacks, ensuring the private key remains secure during transaction signing.
‍

How Dynamic Uses TEEs

At Dynamic, we leverage TEEs—specifically AWS Nitro Enclaves—to handle the decryption and secure processing of wallet private keys as well as to support the generation of user session keys. The private keys are stored encrypted outside the TEE and are only decrypted within the secure environment when a user initiates a transaction or an action that requires access to the key. This ensures that the private keys are never exposed in an untrusted part of the system.

Just like a safety deposit box in a bank vault (as described above), only the end user holds the key to unlock it when the box is in the private, secure room (the TEE). In other words, only the user has the necessary key or credentials to access their private key when it’s in a secure environment. Even Dynamic cannot unlock or access the private key—ensuring that self-custody remains in the user’s hands.

TEEs ensure that the private keys are never exposed outside the secure environment, protecting against a wide array of potential threats. This system allows us to offer high levels of security and self-custody, ensuring that even in the event of a broader system compromise, the private keys remain protected and secure.