Data-in-Use Protection on IBM Cloud Kubernetes Service Using Intel® SGX

5 min read

Intel® Software Guard Extensions (Intel® SGX) bare metal worker nodes for IBM Cloud Kubernetes Service

The growth of container and microservices adoption across industry continues to accelerate at impressive rates. According to Forrester’s report on Container Security, 58% of developers report that their companies currently use containers or plan to use containers in the next 12 months.

However, according to the same report, security concerns about containers are still top of mind—43% of the respondents said that security was a challenge hindering container adoption. When we talk to our customers, their concerns revolve around understanding the security paradigm shift when using containers and microservices and providing the same level of isolation and insights that they get from on-prem compute resources.

Today, we are excited to announce Intel® Software Guard Extensions (Intel® SGX) bare metal worker nodes for IBM Cloud Kubernetes Service to help address some of the data protection concerns.

IBM Cloud Kubernetes Service

IBM Cloud Kubernetes Service is a managed Kubernetes offering to deliver powerful management tools, an intuitive user experience, and built-in security and isolation to enable rapid delivery of applications, all while leveraging advanced cloud services like blockchain, IoT, and AI through IBM Watson.

Announced in March 2018, bare metal worker nodes provide greater isolation and performance for containerized workloads. Now with the Intel® SGX capability, developers can protect their code and data through CPU hardened “enclaves” or a trusted execution environment (TEE)

Intel® SGX worker nodes on IBM Cloud Kubernetes Service

IBM Cloud Kubernetes Service provides ease of operations (multizone worker node clusters, HA master nodes, platform upgrades for security and open-source updates, and worker node auto-scaling) in a secure (access controls using resource groups, customer managed keys with IBM Key Protect, fine-grained access controls for IBM Cloud Container Registry and the Kubernetes Service with Identity and Access Manager) and compliant environment (HIPAA-ready, SOC 1, SOC 2 Type 1, ISAE 3402) where you want to run it (Tokyo MZR, San Jose, Oslo, Milan, and our existing data centers). With the support for Intel® SGX worker nodes, it brings those capabilities to your runtime memory protected workloads.


Take the following steps to provision Intel® SGX bare metal worker nodes on the IBM Cloud Kubernetes Service:

  1. Go to the IBM Cloud catalog and select Kubernetes Service under Containers:
    Go to the IBM Cloud catalog and select Kubernetes Service under Containers


  2. Click Create on the next screen:

    Click Create on the next screen


  3. Select Bare Metal under Hardware isolation and choose the highlighted bare metal flavor (mb2c.4×32). The bare metal worker nodes come SGX-enabled in the BIOS:

    The bare metal worker nodes come SGX-enabled in the BIOS


  4. Bare metal server provisioning may take several hours. Once you have the cluster up, you will see the Normal status for the cluster:

    Bare metal server provisioning may take several hours. Once you have the cluster up, you will see the Normal status for the cluster


Installing Intel® SGX driver and PSW

You can install Intel® SGX driver and PSW by deploying datashield-sgx-driver-psw-installer container to your cluster.

  1. Log in to IBM Cloud and target your cluster.
  2. Log in to the IBM Cloud registry.
  3. Set your region to the global registry.
    ibmcloud cr region-set global
  4. Find the latest image and then install it.
    ibmcloud cr images --include-ibm | grep psw
    Example output:   1.7.373    b0198a376a5c   ibm     2 weeks ago     14 MB    No Issues    1.8.396    96629d56f1fa   ibm     4 days ago      15 MB    No Issues 


You can find Intel® SGX-enabled container applications—MySQL, Vault, Nginx—in the IBM Cloud Container Registry public repositories. (Search for datashield-mysql/vault/nginx.)

Search for datashield-mysql/vault/nginx

The IBM Cloud docs on getting started are located here.

Engage us

If you have questions or concerns, engage our team on Slack. You can register here and join the discussion in the #general channel on

Be the first to hear about news, product updates, and innovation from IBM Cloud