Inclavare Containers

An open source enclave container runtime and security architecture for confidential computing scenarios.


Designed to help users protect the security, integrity and confidentiality of data in use

Open Standard

Fully open source and co-constructed, maintaining community neutrality, compatible communities, and compatible open source ecology

Cloud Native

Create a cloud-native confidential computing universal base for trusted business applications and second-party products to the cloud

What is Inclavare Containers?

Inclavare Containers, developed by Alibaba Cloud and Ant Group and cooperated with Intel, is the industry's first open source container runtime for confidential computing. Inclavare Containers significantly reduces the user's threshold for use. A variety of different enclave forms are available, providing more choices and flexibility between safety and cost for end users.

What problems does Inclavare Container solve?

Isolate privileged software Create the hardware-enforced isolation between tenant’s workload and privileged software controlled by CSP.
Remove CSP Remove CSP from the Trusted Computing Base(TCB) of tenant in untrusted cloud.
Remote attestation Construct the general attestation infrastructure to convince users to trust the workloads running inside TEE based on hardware assisted enclave technology.
Easy to use Provide low barrier to the use of confidential computing and the same experience as ordinary container.

Origin and History

  • Epiphany


  • PoC
    Prototype of rune


  • Open Source
    0.1.0 release
    First supported enclave runtime Occlum
    Based on SGX 1 hardware


  • 0.2.0 release
    Open-sourced shim and runectl (later renamed as sgx-tools)
    Load pal from host
    Update PAL API to v2


  • 0.3.0 release
    Support creation of a Confidential Computing K8s Cluster
    Adapt to v33 SGX in-tree driver
    RPM/DEB binaries


  • 0.4.0 release
    RA-TLS PoC
    Enclave Pooling Manager framework
    Dragonwell 11 (LTS for OpenJDK 11) reference image
    Skeleton enclave runtime


  • 0.4.1 release
    Stub enclave
    RA in shim
    w/o launching Occlum SDK container during bundle convertation
    PAL API v3 Enhance sgx-tools


  • 0.5.0 release
    K8s RA infrastructure with RA-TLS
    Enclave pooling
    Bundle cache
    Graphene enclave runtime


  • 0.5.1 release
    Initial enclave runtime support for AWS Nitro Enclaves
    Integration with pouch
    Improve the performance of enclave instant launch


  • 0.5.2 release
    Implement Shelter
    Supply full CI/CD workflows
    Support Occlum 0.18.1


  • 0.6.0 release
    Implement ECDSA-based attestation in ra-tls
    Support bundle cache level 2
    Provide DCAP utilities in sgx-tools
    Support Occlum 0.19.0


  • 0.6.1 release
    Implement Enclave Attestation Architecture (EAA)
    Implement Inclavared
    Support Occlum 0.21.0
    Evolved from ra-tls to Enclave-TLS


Current State

rune has been written into the OCI Runtime implementation list.
Support to run Enclave containers through K8s and Docker.
Implement Enclave container type based on Intel SGX technology.
Support Occlum SGX library OS.
Ten binary release versions from 0.1.0 to 0.6.1 have released for the community.
Provide Web server reference images based on Golang and Java development.

Application Scenario