Skip to main content
Logo Turnkey’s enclaves are highly constrained compute environments that can cryptographically attest to the code running inside, and are designed with no persistent storage, no interactive access, and no external networking. In Turnkey’s architecture, a standard host instance receives network traffic and calls into the enclave; the enclave’s only connection is a virtual serial connection to the host and its own secure co-processor (the Nitro Security Module). Private keys are never stored unencrypted. Instead, Turnkey persists encrypted private key ciphertext, which is only decrypted within the bounds of a secure enclave running verified Turnkey applications. This means private key material is only decrypted within an enclave, and raw private keys are never exposed to Vanish or Turnkey.
Deployment
Their enclave stack includes QuorumOS, a minimal, immutable Linux unikernel designed for high-security enclaves, with a deterministic build system for reproducible, auditable artifacts and an initialization/attestation framework intended to ensure only authorized code runs within the enclave. Turnkey also uses remote attestation so an enclave can cryptographically prove its identity and integrity to a remote verifier by producing a signed quote containing measurements of its code and configuration; only quotes signed by a hardware root of trust (such as the AWS Nitro Security Module) are considered valid.
To learn more about Turnkey’s industry-leading infrastructure, visit their website.