Skip to content
This repository has been archived by the owner on Apr 5, 2024. It is now read-only.
/ edgelessdb Public archive

EdgelessDB is a MySQL-compatible database for confidential computing. It runs entirely inside a secure enclave and comes with advanced features for collaboration, recovery, and access control.

License

Notifications You must be signed in to change notification settings

edgelesssys/edgelessdb

Repository files navigation

EdgelessDB Unit Tests GitHub license Discord Chat

logo

EdgelessDB is an open-source MySQL-compatible database for confidential computing. EdgelessDB runs entirely inside runtime-encrypted Intel SGX enclaves. In contrast to other databases, EdgelessDB ensures that all data is always encrypted—in memory as well as on disk. EdgelessDB has no storage constraints and delivers close to native performance.

Central to EdgelessDB is the concept of a manifest. The manifest is defined in JSON and is similar to a smart contract. It defines the initial state of the database, including access control, in an attestable way.

Architecturally, EdgelessDB is based on MariaDB. As storage engine, it uses an enhanced version of RocksDB. The file encryption of EdgelessDB's storage engine is designed and built for the enclave and its very strong attacker model. In this context, EdgelessDB's storage engine provides confidentiality, integrity, freshness, auditability, and recoverability for data. Other databases, even when running inside enclaves using general-purpose frameworks, do not have these security properties.

Use cases

  1. Bring security to the next level and replace your existing database with EdgelessDB. The added security may allow you to shift sensitive databases from on-premises to the cloud.
  2. Build exciting new confidential apps by leveraging EdgelessDB's manifest feature and security properties, for example pooling and analyzing sensitive data between multiple parties.

Key features

  • Always encrypted: in addition to authenticated encryption on disk, the data is also encrypted in memory at runtime.
  • Manifest: defines the initial database state, including access control.
  • Remote attestation: proves that the EdgelessDB instance runs in a secure enclave and enforces the manifest.

For details see concepts.

Getting started

Run EdgelessDB on an SGX-capable system:

docker run -t --name my-edb -p3306:3306 -p8080:8080 --device /dev/sgx_enclave --device /dev/sgx_provision ghcr.io/edgelesssys/edgelessdb-sgx-1gb

Or try it in simulation mode on any system:

docker run -t --name my-edb -p3306:3306 -p8080:8080 -e OE_SIMULATION=1 ghcr.io/edgelesssys/edgelessdb-sgx-1gb

You may want to start with using EdgelessDB as a high-security SQL database in a possibly untrusted environment.

Or check out the demo to see how EdgelessDB's confidential-computing features can be used for secure multi-party data processing.

Documentation

See the docs for details on EdgelessDB concepts, configuration, and usage.

Community & help

  • Got a question? Please get in touch via Discord or file an issue.
  • If you see an error message or run into an issue, please make sure to create a bug report.
  • Get the latest news and announcements on Twitter, LinkedIn or sign up for our monthly newsletter.
  • Visit our blog for technical deep-dives and tutorials.

Contribute

About

EdgelessDB is a MySQL-compatible database for confidential computing. It runs entirely inside a secure enclave and comes with advanced features for collaboration, recovery, and access control.

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages