Introduction to Trusted Execution Environments (TEEs)

Imagine you have a safety deposit box that contains something extremely valuable to you. The safety deposit box is locked and stored securely in a bank vault, and only you have the key. When you need access to the item, the box is moved to a private, even more secure room, where only you can use your key to open it and handle the contents. After you’re done, the box is returned to the vault, and the private room is secured again. This way, your valuable item is never exposed outside of the secure environment.

Trusted Execution Environments (TEEs) work similarly in the world of software, and act as that private, super-secure room. They are isolated areas within a system where sensitive data can be handled safely, even if other parts of the system are compromised.

This post will explain the general concepts behind TEEs, explore how they function in mobile devices, and focus on cloud-based TEEs such as AWS Nitro Enclaves. Finally, we’ll discuss how Dynamic leverages TEEs to secure wallet private keys.
‍

TEEs — A Key Part of Modern Security Infrastructure

Trusted Execution Environments (TEEs) offer critical protection for sensitive data, from personal biometrics in smartphones to private keys in cloud-based wallets. As the demand for secure data processing continues to rise, TEEs are becoming an indispensable component of modern security architectures. Whether in consumer devices or enterprise cloud infrastructure, TEEs ensure that sensitive data can be processed without being exposed to potential threats, even in environments where the rest of the system might be compromised.

TEEs are particularly vital as more sensitive information—financial data, healthcare records, and even national security information—moves into cloud-based systems. Their ability to provide hardware-backed isolation, encryption, and verification makes them one of the most robust solutions available for securing data in use.

Without TEEs, organizations would struggle to protect data from increasingly sophisticated attacks, particularly in multi-tenant cloud environments where shared resources and external threats are prevalent. As our reliance on cloud services, decentralized technologies, and digital identities continues to grow, TEEs will play a pivotal role in safeguarding the confidentiality and integrity of the data that powers these systems.

TEEs aren’t just an added layer of protection—they’re a foundational security feature. As the stakes around data security increase, their role in protecting privacy and ensuring trust in digital environments will become more critical than ever.
‍

TEEs in Mobile Devices: Secure Enclaves

Most of us have TEEs in our pockets. That is, most modern smartphones have a TEE (secure enclave) within them for specific secure calculations. These are specialized areas within a device’s processor that handle sensitive tasks like biometric data and payment information.

For example, Apple Secure Enclave: Manages Touch ID, Face ID, and cryptographic functions, operating in a separate environment from the phone’s main operating system.Similarly, Android Trusted Execution Environment: Based on ARM TrustZone, ensures sensitive information, such as DRM content and encryption keys, is processed securely.

Cloud-Based TEEs: AWS Nitro Enclaves

In cloud environments, TEEs like AWS Nitro Enclaves enable secure data processing at scale for developers. AWS Nitro Enclaves are isolated execution environments that operate within Amazon EC2 instances and are ideal for handling highly sensitive data, such as encryption keys and personally identifiable information (PII).

AWS Nitro Enclaves have several key features:

• Isolation: They operate in a tightly controlled, isolated environment (i.e., isolated memory and CPU from a separate kernel to the parent instance) with limited external network access.
• Cryptographic Attestation: Customers can verify that the enclave is operating as expected.
• Secure Data Handling: Data can be encrypted and processed securely without leaving the protected environment.
  ‍

Hardware Structure of AWS Nitro Enclaves

From a hardware perspective, AWS Nitro Enclaves rely on the Nitro hypervisor, which provides the necessary isolation between the parent EC2 instance and the enclave itself. The Nitro system architecture removes unnecessary functionalities like persistent storage, network access, and interactive access (e.g., SSH), reducing the attack surface. Enclaves only have a single, limited connection to the parent EC2 instance via a secure communication channel, which ensures that only essential data can pass between the two. This strict limitation means that enclaves are completely isolated from external networks, including the internet, further ensuring that sensitive data cannot be accessed or leaked outside the enclave environment.

A Note on Attestation in TEEs

One of the critical features of Trusted Execution Environments (TEEs) is attestation. Attestation is a security mechanism that allows external parties to verify that the code running inside a TEE is genuine and hasn’t been tampered with. It involves generating cryptographic proofs that can be validated by third-party systems.

Attestation typically works in three steps:

1. Measurement: When the TEE is initialized, it measures the code and environment configuration running inside it. These measurements, such as hash values of the software and configuration, are securely recorded.
2. Signing: The measurements are then signed by a certificate, typically issued by a trusted authority. This step ensures that the attestation output can be cryptographically verified.
3. Verification: The TEE generates a cryptographic report (attestation) that includes the signed measurements. This report can then be sent to a trusted external entity, which checks the measurements and their signatures against known, trusted values to ensure that the environment is legitimate and secure.

Attestation ensures that sensitive data and operations within the TEE are protected from unauthorized modification, helping to build trust between different components of a system and its users. This is especially important in cloud environments where tenants rely on the infrastructure to be secure and unaltered.
‍

TEEs and Securing Crypto Private Keys

TEEs can also play a crucial role in securing signing activities of crypto private keys. Since private keys are the foundation of all crypto transactions, ensuring their security is vital. By using TEEs for signing activities, private key signing is isolated from the broader system, significantly reducing the risk of exposure due to vulnerabilities in the operating system or application. TEEs also help prevent attacks like side-channel attacks, ensuring the private key remains secure during transaction signing.
‍

How Dynamic Uses Trusted Execution Environments (TEEs)

Dynamic leverages Trusted Execution Environments (TEEs), specifically AWS Nitro Enclaves, to protect sensitive wallet operations like key decryption and transaction signing. These TEEs create isolated, hardware-backed execution spaces that ensure cryptographic operations occur in a fully verified and secure environment.

When Signing Transactions

Dynamic uses a multi-party computation (MPC) model where private keys are split into two parts:

• User Share: Held locally by the user and used for partial signing on their device.
• Server Share: Encrypted and securely stored on Dynamic’s side. When needed, this share is decrypted and used within a TEE, never leaving the enclave environment.

The full private key is never assembled in any single location, even within the TEE itself.

This Architecture Ensures That:

• No single party, including Dynamic, can reconstruct or control the private key.
• Users retain full self-custody of their wallets.
• Recovery is possible if a user loses access to their device.
• The system is resilient to compromise of any single component or service.
• All signing and decryption operations occur within attested, hardware-isolated TEEs, providing an additional layer of security.

Encryption and Storage

Dynamic’s Server Share is generated inside Evervault enclaves, encrypted by the enclave itself, and stored securely in Dynamic’s database. It is only decrypted when necessary and always within an AWS Nitro Enclave, ensuring end-to-end protection for sensitive key material.

By combining TEE-based isolation with MPC (multi-party computation), Dynamic provides the highest level of security for wallet infrastructure, balancing user ownership, scalability, and compliance without compromising control.
‍

FAQs

What is a Trusted Execution Environment (TEE)?
A Trusted Execution Environment (TEE) is a secure area within a processor that ensures sensitive data is processed safely and isolated from the rest of the system. It protects against tampering and unauthorized access even if the main operating system is compromised.

How do TEEs differ from traditional encryption?
Traditional encryption protects data at rest or in transit, while TEEs protect data in use, during active computation. This means even while data is being processed, it stays secure and inaccessible to unauthorized code.

What is cryptographic attestation in TEEs?
Attestation allows external parties to verify that a TEE is running legitimate, untampered code. It uses cryptographic proofs to confirm the integrity and authenticity of the execution environment before sensitive data is processed.

How are TEEs used in cloud computing?
Cloud-based TEEs, such as AWS Nitro Enclaves, create isolated virtual environments where sensitive data like encryption keys or personal information can be processed securely. They ensure that even cloud administrators cannot access the protected data.

How do TEEs help secure crypto private keys?
In crypto systems, TEEs isolate signing and key decryption operations from the rest of the application. This ensures that private keys are never exposed, reducing risk even in the event of system compromise.