Enclave
An isolated region of CPU or GPU memory protected by hardware. Code and data inside the enclave are inaccessible to the operating system, the hypervisor, or even the machine's physical owner.
Also known as: secure enclave, hardware enclave
An enclave is the technical name for the isolated region a TEE creates. The CPU or GPU has special instructions that mark a chunk of memory as “encrypted enclave memory” and refuse to let anything outside the enclave (including the operating system kernel, the hypervisor, or any other process) read or modify it. Code that runs inside the enclave can read and write to its own enclave memory normally, but anything outside sees only ciphertext.
The size and capability of enclaves varies by hardware generation. Intel SGX (the first widely-deployed enclave technology, launched in 2015) had small enclave sizes (originally 128MB, later expanded) and could only run a single piece of trusted code. Intel TDX (newer, launched on Sapphire Rapids in 2023) lets you run an entire virtual machine inside an enclave, which means a normal Linux installation with whatever services you want can run confidentially without rewriting the application. NVIDIA Confidential Computing on H100/H200 lets the GPU memory itself be enclave-protected, which is essential for AI workloads that need GPU memory.
The reason enclaves matter for DeAI is that AI inference is GPU-heavy. Running a 70B model means loading hundreds of gigabytes into GPU memory. If that memory is readable by the GPU operator, they can dump the prompts, the model weights, or the responses at will. NVIDIA Confidential Computing lets the entire GPU memory be enclave-encrypted, which means a malicious server operator can’t extract any of those things even with full physical access to the machine. This is the technical foundation that makes private DeAI inference plausible at scale.
The practical caveat is that enclave technology has had a bumpy security history. Intel SGX was broken multiple times by side-channel attacks (Foreshadow, SGAxe, CacheOut). Each break required microcode patches or new hardware to fully fix. Each project that builds on enclaves is implicitly trusting the hardware vendor’s security model and patch cadence. The OYM project reviews scrutinise this carefully when scoring privacy claims; “we use TEEs” is not the same as “this is genuinely private.”