Introducing Conclave 1.2

December 07, 2021

By Iryna Tsimashenka


We are pleased to announce the release of Conclave 1.2, which delivers two data persistence features, a key-derivation service to simplify cloud development, a common host, and other features that improve the developer experience.

Conclave is a software development kit and suite of complementary cloud services that make it easy for developers to build privacy-enhancing applications for their customers. Privacy-enhancing applications protect users’ data from being misused by cryptographically proving exactly what will happen to any data they submit. Conclave aspires to be the industry’s simplest and quickest way for non-specialist developers to add these capabilities to their offerings.

Conclave 1.2 radically reduces the journey to production by removing barriers to cloud deployment and simplifying the developer experience.

Cloud acceleration

Our cloud-based Key-Derivation Service (KDS) makes it possible to deploy privacy-enhancing applications that are not tied to any one machine, unlocking clusters and high-availability architectures. The private key is not attached to a particular SGX instance and can be derived from any source, such as HSM. Since the key is not linked to the CPU, enclave data can easily be migrated from one VM to another and provide seamless redeployment of VM by cloud service providers. Read more about KDS in the blogs here and here.

Data persistence

Conclave 1.2 provides out-of-the-box support for data persistence, which is fully integrated with the key-derivation service to enable cloud-native Conclave applications. It has unique optional ‘malicious host’ detection technology to make security more robust. Two persistent features are now available:

    1. The persistent file system gives the enclave the ability to securely store data on the host, and data is still available even after the enclave restarts. In many other Confidential Computing SDKs, when an enclave wrote data into a file, it would only reside in memory and disappear after the enclave was restarted.
    2. To improve security, the enclave class now exposes a simple key-value store, represented as a standard java.util.Map object. Conclave will securely persist the encrypted map on the host side. Not only is the map still securely available after an enclave restarts, but it is also resilient against attempts by a malicious host to roll it back to a previous state (rollback attacks).

A deep-dive blog on these two persistence features, what “rollback attacks” are, and how Conclave protects against them can be found here.

Common host

Conclave 1.2 includes an out-of-the-box ‘Common Host’ and ‘Common Client’ to radically simplify the developer journey. This removes the need to develop boilerplate hosting logic and provides a stepping stone to the future Conclave cloud hosting service. A client also has a set of new APIs to simplify the client’s code and remove any communication complexities. Read more about the Common Host here and here.

Developer productivity

Conclave 1.2 offers several features to boost developer productivity:

    • Conclave Init tool to make setting up a Conclave project easier
    • Updated mail-enclave communication protocol to support ephemeral sessions. These changes, along with persistent storage and KDS, provide additional security and flexibility when working with Conclave mail and persistent data.
    • Experimental support for Python as a new programming language to write enclave code
    • We have updated enclave code to Java 11 as a default JDK version. We still support the Java 8 version but enclaves must opt in for it.

Additional features

In addition, Conclave 1.2 delivers:

    • Enclave lifecycle methods for enclave startup initialization and shutdown cleanup
    • Further improvements to the Conclave Gradle plugin to reduce the amount of boilerplate code needed
    • Improved API for checking platform support
    • Upgraded to the latest Intel SGX SDK 2.14, which addresses the latest security fixes and other improvements
    • Host load is no longer required to specify enclave class name as a parameter

To download Conclave 1.2, click here!

Want to learn more?

Below are some helpful resources to learn more about Conclave and Confidential Computing.