Secure Enclaves at the Tactical Edge: Why Confidential Computing Is a Defense Problem Now
R. KesslerSomewhere between a forward operating base and a cloud data center, there's a gap that nobody in enterprise security was ever really designed to fill. Confidential computing, the practice of protecting data in use through hardware-enforced secure enclaves, spent most of the last decade being sold as a compliance solution for healthcare and finance. That era is over.
Photo by The defense context changes everything about the threat model.
In commercial cloud, confidential computing protects tenants from each other and from a potentially compromised hypervisor. Useful, but the attack surface is relatively controlled. At the tactical edge, think autonomous vehicles, dismounted soldier systems, unmanned aerial platforms, you're not worried about a rogue cloud administrator. You're worried about physical capture, firmware implants, supply chain compromise, and adversaries with the time and hardware to extract model weights or mission-critical inference logic from a device that's no longer under your control.
That's a fundamentally different problem. And it's forcing a rethink of how trusted execution environments get designed, deployed, and verified under actual field conditions.
What Secure Enclaves Actually Do (and Where They Break)
The core idea behind TEEs, Trusted Execution Environments, is that a physically isolated region of the processor handles sensitive computation. Code and data inside the enclave are encrypted in memory; even the operating system can't read them. Intel's SGX, Arm's TrustZone, and AMD's SEV-SNP all take different approaches to this, but the promise is similar: even if the surrounding software stack is compromised, the enclave holds.
Except field environments test assumptions that data centers never do.
Power instability causes fault-injection opportunities. Temperature extremes push memory and processor behavior outside the bounds that enclave attestation was designed for. Side-channel attacks, particularly those exploiting cache timing, are well-documented against SGX specifically; academic researchers have been publishing SGX breaks since 2017. When your enclave is running target recognition on a drone that an adversary just shot down and recovered, those theoretical side-channels become very practical threats.
The diagram below sketches how a defense-grade confidential compute pipeline differs from a conventional edge inference stack:
graph TD
A[Sensor Input] --> B(Encrypted Data Path)
B --> C{TEE / Secure Enclave}
C --> D[Inference Engine]
D --> E(Encrypted Output)
E --> F[Comms Stack]
C --> G((Remote Attestation Server))
Remote attestation, that link to the attestation server, is the piece most edge deployments quietly skip because it requires connectivity. In a contested environment, connectivity is exactly what you can't guarantee. Without attestation, you lose the ability to verify that the enclave running on a given device hasn't been tampered with. That's not a minor gap.
The Hardware Push That's Actually Happening
Several primes and a growing number of startups are moving to close this. Arm's CCA (Confidential Compute Architecture), announced for v9 cores, extends realm-based isolation in ways that could survive a degraded attestation scenario better than SGX ever did. Latticework, Fortanix, and a handful of DARPA-adjacent teams are prototyping enclave designs that integrate hardware attestation locally, no server handshake required, using physical unclonable functions (PUFs) tied directly to the silicon.
PUFs are worth understanding here. Rather than storing a secret key that can be extracted, a PUF derives a key from microscopic manufacturing variations in the chip itself. You can't clone it. You can't extract it with a logic analyzer. If you grind the die down trying to read it, the variations shift and the key is gone. For a device that might be captured in the field, that's not just convenient, it's the entire security model.
The challenge is that PUF-based systems still need enrollment: you have to characterize the device's PUF response in a trusted environment before it deploys. That creates a manufacturing and logistics chain that the defense acquisition process isn't well set up to handle at scale. Getting this into a program of record requires cooperation between chip designers, system integrators, and program offices that historically do not move at the same speed.
Why This Isn't Solved by Software Alone
There's a tendency in defense software circles to reach for cryptography as the answer to everything. Encrypt the model weights. Use secure boot. Layer on attestation protocols. These help, but they all sit on top of hardware that may or may not be trustworthy, depending on where it was fabbed and who touched it between there and the field.
Hardware-rooted trust isn't optional at the edge. It's the only kind that holds when the device is physically in adversarial hands.
The programs working this problem most seriously, some visible in DARPA's AISS and CHIPS programs, others considerably less visible, understand that confidential computing at the tactical edge is a co-design problem. The enclave spec, the chip layout, the attestation scheme, and the operational deployment model all have to be built together. Bolting a commercial TEE onto an existing platform is a stopgap, not a solution.
Silicon Valley built confidential computing for a world where the data center is trusted and the tenant is not. Defense needs the inverse: hardware that stays trustworthy when everything around it, the software, the network, the physical environment, cannot be.
Get Bits Atoms Brains in your inbox
New posts delivered directly. No spam.
No spam. Unsubscribe anytime.