Enclave Technology

Secure Enclave AI Training for Healthcare

Secure enclaves are the hardware foundation of private clinical AI training

A secure enclave — also known as a Trusted Execution Environment (TEE) — is a hardware-isolated region of CPU memory where code and data can execute without being observable or modifiable by the operating system, hypervisor, or any other process — even with root or physical access to the machine.

In a clinical AI context, the secure enclave creates a verifiable boundary around the training process: the hospital's IT administrator cannot inspect training data inside the enclave. The AI company's model code cannot exfiltrate data outside the enclave. The enclave's identity — its cryptographic measurement (MRENCLAVE) — is independently verifiable through Intel's Data Center Attestation Primitives (DCAP).

How Intel SGX protects clinical data during AI training

  1. Enclave creation: The Rapha Edge Core OS C launcher creates an SGX enclave in protected memory. The enclave is measured — every byte of code loaded into it is hashed to produce a unique MRENCLAVE value.
  2. Enclave attestation: The Rapha Network Orchestration Hub verifies the enclave's identity through Intel DCAP: the MRENCLAVE must match the expected value for the Rapha training runtime, the MRSIGNER must match the Rapha signing key, and the Intel root CA certificate chain must validate.
  3. Data loading: Clinical data is read from hospital storage into the enclave's encrypted memory. The data is decrypted only inside the enclave. The operating system sees only encrypted memory pages.
  4. Model training: The AI model training executes entirely within the enclave. Memory access patterns are obfuscated. The CPU enforces that only enclave code can access enclave memory.
  5. Output extraction: Trained model weights are serialised within the enclave, hashed for the proof receipt, and transmitted to the researcher. No raw clinical data crosses the enclave boundary.
  6. Enclave destruction: After training completes, the enclave is torn down. All enclave memory pages are deallocated. The clinical data in memory is unrecoverable.

SGX vs TDX: which enclave technology for which workload?

Intel SGX (Software Guard Extensions)

  • Protection scope: Application-level. Individual code regions within a process run inside the enclave.
  • Memory limit: 512MB-1TB Enclave Page Cache (EPC), depending on processor generation.
  • Best for: Targeted ML training workloads where the training script, hyperparameters, and data loader are known and bounded.
  • Rapha Protocol support: Primary TEE. Production C enclave launcher. Gramine manifest for SGX execution.

Intel TDX (Trust Domain Extensions)

  • Protection scope: VM-level. The entire virtual machine — OS, libraries, application — runs inside a hardware-isolated trust domain.
  • Memory limit: Full VM memory allocation. Supports larger workloads than application-level SGX.
  • Best for: Complex ML workflows requiring full OS access, custom libraries, or large memory footprints that exceed SGX enclave limits.
  • Rapha Protocol support: Planned. TDX support roadmap for workloads requiring VM-level isolation.

Production-grade SGX execution requires: Linux host with Intel SGX/DCAP driver stack, configured Gramine manifest, expected MRENCLAVE/MRSIGNER values, Intel root CA PEM, and trusted attestor signing key. Non-SGX hardware returns ENOTSUP — no software fallback, no synthetic attestation, no path to settlement.

Confidential compute for clinical AIPrivacy-preserving ML in healthcareCompute-to-data vs federated learningEdge Core OS — enclave launcher detailsSystem architecture

Rapha Protocol — compute-to-data infrastructure for clinical AI. Legal · Privacy · Terms · AI Researchers · Register Node · Trust & Compliance

© 2026 Rapha Protocol. Operated under 桂義, New Taipei City, Taiwan.