Learn more
Introducing Telegram Auto-Wallets: Generate a wallet with your Telegram account with a single click!
Table of contents
Imagine you have a safety deposit box that contains something extremely valuable to you. The safety deposit box is locked and stored securely in a bank vault, and only you have the key. When you need access to the item, the box is moved to a private, even more secure room, where only you can use your key to open it and handle the contents. After you’re done, the box is returned to the vault, and the private room is secured again. This way, your valuable item is never exposed outside of the secure environment.
Trusted Execution Environments (TEEs) work similarly in the world of software, and act as that private, super-secure room. They are isolated areas within a system where sensitive data can be handled safely, even if other parts of the system are compromised.
This post will explain the general concepts behind TEEs, explore how they function in mobile devices, and focus on cloud-based TEEs such as AWS Nitro Enclaves. Finally, we’ll discuss how Dynamic leverages TEEs to secure wallet private keys.
Trusted Execution Environments (TEEs) offer critical protection for sensitive data, from personal biometrics in smartphones to private keys in cloud-based wallets. As the demand for secure data processing continues to rise, TEEs are becoming an indispensable component of modern security architectures. Whether in consumer devices or enterprise cloud infrastructure, TEEs ensure that sensitive data can be processed without being exposed to potential threats, even in environments where the rest of the system might be compromised.
TEEs are particularly vital as more sensitive information—financial data, healthcare records, and even national security information—moves into cloud-based systems. Their ability to provide hardware-backed isolation, encryption, and verification makes them one of the most robust solutions available for securing data in use.
Without TEEs, organizations would struggle to protect data from increasingly sophisticated attacks, particularly in multi-tenant cloud environments where shared resources and external threats are prevalent. As our reliance on cloud services, decentralized technologies, and digital identities continues to grow, TEEs will play a pivotal role in safeguarding the confidentiality and integrity of the data that powers these systems.
TEEs aren’t just an added layer of protection—they’re a foundational security feature. As the stakes around data security increase, their role in protecting privacy and ensuring trust in digital environments will become more critical than ever.
Most of us have TEEs in our pockets. That is, most modern smartphones have a TEE (secure enclave) within them for specific secure calculations. These are specialized areas within a device’s processor that handle sensitive tasks like biometric data and payment information.
For example, Apple Secure Enclave: Manages Touch ID, Face ID, and cryptographic functions, operating in a separate environment from the phone’s main operating system.Similarly, Android Trusted Execution Environment: Based on ARM TrustZone, ensures sensitive information, such as DRM content and encryption keys, is processed securely.
In cloud environments, TEEs like AWS Nitro Enclaves enable secure data processing at scale for developers. AWS Nitro Enclaves are isolated execution environments that operate within Amazon EC2 instances and are ideal for handling highly sensitive data, such as encryption keys and personally identifiable information (PII).
AWS Nitro Enclaves have several key features:
From a hardware perspective, AWS Nitro Enclaves rely on the Nitro hypervisor, which provides the necessary isolation between the parent EC2 instance and the enclave itself. The Nitro system architecture removes unnecessary functionalities like persistent storage, network access, and interactive access (e.g., SSH), reducing the attack surface. Enclaves only have a single, limited connection to the parent EC2 instance via a secure communication channel, which ensures that only essential data can pass between the two. This strict limitation means that enclaves are completely isolated from external networks, including the internet, further ensuring that sensitive data cannot be accessed or leaked outside the enclave environment.
One of the critical features of Trusted Execution Environments (TEEs) is attestation. Attestation is a security mechanism that allows external parties to verify that the code running inside a TEE is genuine and hasn’t been tampered with. It involves generating cryptographic proofs that can be validated by third-party systems.
Attestation typically works in three steps:
Attestation ensures that sensitive data and operations within the TEE are protected from unauthorized modification, helping to build trust between different components of a system and its users. This is especially important in cloud environments where tenants rely on the infrastructure to be secure and unaltered.
TEEs can also play a crucial role in securing signing activities of crypto private keys. Since private keys are the foundation of all crypto transactions, ensuring their security is vital. By using TEEs for signing activities, private key signing is isolated from the broader system, significantly reducing the risk of exposure due to vulnerabilities in the operating system or application. TEEs also help prevent attacks like side-channel attacks, ensuring the private key remains secure during transaction signing.
At Dynamic, we leverage TEEs—specifically AWS Nitro Enclaves—to handle the decryption and secure processing of wallet private keys as well as to support the generation of user session keys. The private keys are stored encrypted outside the TEE and are only decrypted within the secure environment when a user initiates a transaction or an action that requires access to the key. This ensures that the private keys are never exposed in an untrusted part of the system.
Just like a safety deposit box in a bank vault (as described above), only the end user holds the key to unlock it when the box is in the private, secure room (the TEE). In other words, only the user has the necessary key or credentials to access their private key when it’s in a secure environment. Even Dynamic cannot unlock or access the private key—ensuring that self-custody remains in the user’s hands.
TEEs ensure that the private keys are never exposed outside the secure environment, protecting against a wide array of potential threats. This system allows us to offer high levels of security and self-custody, ensuring that even in the event of a broader system compromise, the private keys remain protected and secure.
Share this article