In the era of digital transformation, data has emerged as a critical production factor—especially within the financial sector, where sensitive information demands robust protection. As regulatory frameworks tighten and cyber threats grow more sophisticated, securing data at rest has become a top priority. This article explores how confidential computing offers a breakthrough solution for secure financial data storage, balancing high security with practical deployment.
The Critical Need for Secure Data Storage in Finance
Financial data is classified as a national critical data resource under China’s “critical information infrastructure” framework. With the rise of digital banking, mobile payments, and real-time transaction systems, the volume and sensitivity of stored financial data have surged.
China's 14th Five-Year Plan emphasizes strengthening the security system for the digital economy and improving data protection standards across the full data lifecycle. In line with this, the People’s Bank of China (PBOC) released the Financial Data Security – Lifecycle Security Specification in 2021, mandating financial institutions to implement comprehensive governance across data collection, transmission, storage, usage, and destruction.
👉 Discover how next-gen encryption technologies are transforming financial security today.
Among these stages, data storage security forms the foundational layer. Unlike transient data in motion, static stored data presents a concentrated target for attackers. Once breached, the impact can be widespread—compromising millions of records and eroding public trust.
Limitations of Traditional Storage Encryption Methods
Current encryption approaches fall into two main categories: application-layer encryption and disk-level encryption. While both offer some level of protection, they come with significant trade-offs.
Application-Layer Encryption
This method involves modifying application code to encrypt data before it's written to storage. It supports fine-grained control—such as encrypting specific fields like ID numbers or account balances—but requires extensive code refactoring. Two subtypes exist:
- Hardware-based encryption: Uses dedicated cryptographic devices (HSMs), ensuring strong security but increasing costs significantly at scale.
- Software-based encryption: Relies on software libraries; however, decryption keys often remain exposed in memory, creating vulnerabilities.
Disk-Level Encryption
This approach encrypts entire storage volumes transparently. While easy to deploy, it only protects against physical theft (e.g., stolen hard drives). Once an attacker gains access to the operating system or hypervisor, all data appears in plaintext—rendering the protection ineffective against insider threats or cloud-based breaches.
These limitations highlight the need for a new paradigm: one that provides fine-grained encryption, minimal application disruption, and strong protection against internal threats.
What Is Confidential Computing?
Confidential computing is a security model that protects data while it's being processed by running computations inside hardware-enforced trusted execution environments (TEEs). These environments isolate sensitive workloads from the rest of the system—including the operating system, hypervisor, and cloud provider—ensuring confidentiality and integrity even if the host is compromised.
Leading chipmakers have introduced TEE technologies:
- Intel SGX and TDX
- AMD SEV
- ARM TrustZone
- Hygon CSV (used in this study)
This research focuses on Hygon CSV (Confidential Secure Virtualization), a hardware-backed virtualization technology that enables encrypted virtual machines (VMs) with isolated CPU resources and encrypted memory.
Key Features of Hygon CSV
- Resource Isolation: Each CSV VM uses a unique Address Space ID (ASID), isolating cache and TLB entries to prevent cross-VM data leakage.
- Memory Encryption: On-chip SM4 encryption engines automatically encrypt all memory writes using keys managed by an integrated secure processor. No external entity—including admins—can access plaintext data.
- Measured Boot: Ensures VM integrity by verifying boot components dynamically, preventing tampering.
When combined with Kata Containers, CSV enables confidential containers—lightweight runtime environments where both code and data are protected during execution. This is particularly valuable in cloud environments, where tenants can maintain full control over their workloads without trusting the underlying infrastructure.
A Novel Approach: Confidential Computing Secure Storage Service
To address existing gaps, we propose a confidential computing-based secure storage service that integrates hardware-level protection with flexible encryption management.
Architecture Overview
The solution sits between applications and databases as a transparent proxy layer, comprising two core components:
1. Pre-Encryption Module
- Encryption Proxy: Intercepts database traffic, parses SQL statements, and identifies sensitive fields based on predefined policies.
- Crypto Engine: Performs SM4-based encryption/decryption within the confidential computing environment.
2. Management Platform
- Policy Management: Allows administrators to define field-level encryption rules (e.g., encrypt "phone_number" in "users" table).
- Key Management: Handles secure key generation, rotation, distribution, and lifecycle management.
Core Functionalities
✅ Fine-Grained Encryption Policies
Organizations can configure encryption rules via:
- GUI Configuration: Upload table schemas and select fields to encrypt through a web interface.
- DDL Auto-Detection: Embed encryption tags in SQL comments (e.g.,
/* @encrypt */). The proxy auto-generates policies when tables are created or altered.
✅ Seamless Key Rotation
Supports smooth key updates without service interruption:
- Transition Mode: Uses both old and new keys during rotation.
- Background Re-encryption: A batch tool gradually re-encrypts historical data.
- After completion, switches back to single-key mode—ensuring zero downtime.
✅ Encrypted Fuzzy Search
Despite end-to-end encryption, the system supports limited pattern matching (e.g., prefix search) by structuring encrypted fields into segmented blocks processed with deterministic encryption where appropriate.
✅ Confidential Containers
By integrating CSV VMs with Kata Containers, applications run in fully isolated environments. All runtime data—including intermediate results and keys—remains encrypted and inaccessible to other processes.
How It Works: Zero-Code Integration
One of the most compelling advantages is application transparency:
- Admins define encryption policies via the management platform.
- Applications update their database connection string to point to the pre-encryption proxy.
- All sensitive data is automatically encrypted before reaching the database.
No code changes are required. The entire process is invisible to developers and end users.
👉 See how enterprises are adopting confidential computing to future-proof their data strategies.
Pilot Implementation & Performance Evaluation
A real-world pilot validated functionality, performance, and scalability.
Deployment Results
- Applications retained full compatibility.
- Field-level encryption achieved without any code modifications.
- Proxy modules were stateless, enabling horizontal scaling.
Performance Benchmarking
| Configuration | Encrypted Fields | Environment | TPS |
|---|---|---|---|
| 2C8G | 1 | Ordinary | ~2900 |
| 2C8G | 1 | Confidential (CSV) | ~2330 |
Results show:
- A performance overhead of 15–20% under low CPU configurations.
- Overhead drops to under 3% when scaling to 6C8G.
- Even at peak load, throughput remains sufficient for most financial workloads.
This demonstrates that security does not have to come at the cost of performance, especially when properly resourced.
Frequently Asked Questions (FAQ)
Q: What makes confidential computing different from traditional encryption?
A: Traditional methods protect data at rest or in transit. Confidential computing secures data while in use, preventing exposure even during processing—closing a major gap in the security lifecycle.
Q: Can this solution work in public cloud environments?
A: Yes. It enhances trust in cloud platforms by ensuring tenant data remains confidential from cloud providers themselves—a key requirement for regulated industries.
Q: Is government approval required for using SM4 algorithms?
A: SM4 is a recognized national cryptographic standard in China and widely permitted for domestic financial applications. Always verify compliance with local regulators.
Q: Does this support compliance with PBOC regulations?
A: Absolutely. The solution aligns with PBOC’s Data Lifecycle Security Specification and supports audit-ready logging and policy enforcement.
Q: How does it handle database backups?
A: Since encryption occurs upstream, backups contain only ciphertext—ensuring protection even if backup media is lost or stolen.
Q: Can I integrate this with existing key management systems?
A: The architecture supports integration with external KMS via standardized APIs while maintaining internal key isolation within the TEE.
Conclusion & Future Outlook
As cyber threats evolve and regulatory scrutiny increases, traditional data protection methods are no longer sufficient. The proposed confidential computing secure storage service delivers a scalable, high-security solution that meets modern financial requirements.
It enables:
- Field-level encryption without app refactoring
- Hardware-backed key and data protection
- Smooth compliance with national standards
- Cloud-friendly deployment with tenant isolation
Looking ahead, combining confidential computing with technologies like secure multi-party computation (MPC) could enable fully encrypted data pipelines—from collection to analysis—unlocking secure data collaboration across institutions while preserving privacy.
For financial organizations aiming to build resilient, future-ready architectures, confidential computing isn’t just an option—it’s a necessity.
👉 Learn how cutting-edge security models are shaping the future of finance.