What's New

Data-in-Use Protection on IBM Cloud Kubernetes Service Using Intel® SGX

Share this post:

Intel® Software Guard Extensions (Intel® SGX) bare metal worker nodes for IBM Cloud Kubernetes Service

The growth of container and microservices adoption across industry continues to accelerate at impressive rates. According to Forrester’s report on Container Security, 58{07c2b926d154bd5dc241f595a572d3349d41d98f2484798a4a616f4fafe1ebc0} of developers report that their companies currently use containers or plan to use containers in the next 12 months.

However, according to the same report, security concerns about containers are still top of mind—43{07c2b926d154bd5dc241f595a572d3349d41d98f2484798a4a616f4fafe1ebc0} of the respondents said that security was a challenge hindering container adoption. When we talk to our customers, their concerns revolve around understanding the security paradigm shift when using containers and microservices and providing the same level of isolation and insights that they get from on-prem compute resources.

Today, we are excited to announce Intel® Software Guard Extensions (Intel® SGX) bare metal worker nodes for IBM Cloud Kubernetes Service to help address some of the data protection concerns.

IBM Cloud Kubernetes Service

IBM Cloud Kubernetes Service is a managed Kubernetes offering to deliver powerful management tools, an intuitive user experience, and built-in security and isolation to enable rapid delivery of applications, all while leveraging advanced cloud services like blockchain, IoT, and AI through IBM Watson.

Announced in March 2018, bare metal worker nodes provide greater isolation and performance for containerized workloads. Now with the Intel® SGX capability, developers can protect their code and data through CPU hardened “enclaves” or a trusted execution environment (TEE)

Intel® SGX worker nodes on IBM Cloud Kubernetes Service

IBM Cloud Kubernetes Service provides ease of operations (multizone worker node clusters, HA master nodes, platform upgrades for security and open-source updates, and worker node auto-scaling) in a secure (access controls using resource groups, customer managed keys with IBM Key Protect, fine-grained access controls for IBM Cloud Container Registry and the Kubernetes Service with Identity and Access Manager) and compliant environment (HIPAA-ready, SOC 1, SOC 2 Type 1, ISAE 3402) where you want to run it (Tokyo MZR, San Jose, Oslo, Milan, and our existing data centers). With the support for Intel® SGX worker nodes, it brings those capabilities to your runtime memory protected workloads.


Take the following steps to provision Intel® SGX bare metal worker nodes on the IBM Cloud Kubernetes Service:

  1. Go to the IBM Cloud catalog and select Kubernetes Service under Containers:
  2. Click Create on the next screen:
  3. Select Bare Metal under Hardware isolation and choose the highlighted bare metal flavor (mb2c.4×32). The bare metal worker nodes come SGX-enabled in the BIOS:
  4. Bare metal server provisioning may take several hours. Once you have the cluster up, you will see the Normal status for the cluster:

Installing Intel® SGX driver and PSW

You can install Intel® SGX driver and PSW by deploying datashield-sgx-driver-psw-installer container to your cluster.


You can find Intel® SGX-enabled container applications—MySQL, Vault, Nginx—in the IBM Cloud Container Registry public repositories. (Search for datashield-mysql/vault/nginx.)

The IBM Cloud docs on getting started are located here.

Engage us

If you have questions or concerns, engage our team on Slack. You can register here and join the discussion in the #general channel on https://ibm-container-service.slack.com/.

Software Architect (Innovation)

Christopher Rosen

Program Director, Offering Management, IBM Kubernetes Service & IBM Container Registry

More What's New stories
May 6, 2019

Use IBM Cloud Certificate Manager to Obtain Let’s Encrypt TLS Certificates for Your Public Domains

IBM Cloud Certificate Manager now lets you obtain TLS certificates signed by Let’s Encrypt. Let’s Encrypt is an automated, ACME-protocol-based CA that issues free certificates valid for 90 days.

Continue reading

May 3, 2019

Kubernetes Tutorials: 5 Ways to Get You Building Fast

Ready to start working with Kubernetes? Want to build your Kubernetes skills? The five tutorials in this post will teach you everything you need to know about how to manage your containerized apps with Kubernetes.

Continue reading

May 3, 2019

Using Portworx to Deploy and Manage an HA MySQL Cluster on IBM Cloud Kubernetes Service

This tutorial is a walkthrough of the steps involved in deploying and managing a highly available MySQL cluster on IBM Cloud Kubernetes Service.

Continue reading