In the era of data as a new production factor, security has become paramount. Protecting data is now a global priority. Financial data, classified as a "national critical data resource" within "critical information infrastructure," must be safeguarded to ensure both security and compliance.
China's 14th Five-Year Plan emphasizes strengthening the digital economy security system and enhancing data security capabilities. It calls for the establishment of comprehensive data security standards and regulated management throughout the data lifecycle. In 2021, the People's Bank of China (PBOC) released the Financial Data Security—Data Lifecycle Security Specification, which outlines a security framework for financial data. This requires financial institutions to build a governance system covering the entire data lifecycle: collection, transmission, storage, use, and destruction.
Data storage security is the foundation of this lifecycle. It faces significant challenges: static data is easier to target, and centralized storage increases the impact of a breach. To address this, the PBOC has mandated encryption for sensitive data and encouraged the use of commercial cryptographic algorithms. In 2023, it further proposed technical measures for data storage protection and promoted innovative "fine-grained encryption" solutions.
This article explores the application of confidential computing technology for secure financial data storage. By leveraging hardware-based security capabilities, we developed a solution that keeps sensitive data, keys, and cryptographic operations within a trusted execution environment. This approach enhances security while minimizing application改造 costs.
Current Storage Encryption Solutions
There are two primary methods for storage encryption: application-layer encryption and disk-level encryption. Both have limitations.
Application-layer encryption requires significant code changes, whether using hardware security modules (HSMs) or software-based cryptographic packages. HSMs increase costs at scale, while software solutions may expose keys in memory.
Disk-level encryption only protects against physical theft. Once the system is compromised, data accessed via applications or the OS remains visible in plaintext.
To overcome these issues, we propose a lightweight, high-security solution using confidential computing.
What Is Confidential Computing?
Confidential computing uses trusted hardware to create encrypted, isolated, and verifiable computing environments. It protects data during processing, leveraging hardware-based trusted execution environments (TEEs).
Major chip manufacturers offer confidential computing solutions, including Intel SGX, AMD SEV, Hygon CSV, Intel TDX, and ARM TrustZone. Many large enterprises are exploring these technologies.
Our solution uses Hygon CSV (Confidential Secure Virtualization), which supports multiple encrypted virtual machines on a single physical node. Key features include:
- Resource Isolation: Each VM uses dedicated CPU resources, preventing cross-VM access.
- Memory Encryption: Data is automatically encrypted in memory using SM4 algorithms. Keys are managed by an on-chip security processor, making data unreadable even to the host OS.
- Measured Launch: The VM's integrity is verified at startup to prevent tampering.
CSV can be combined with Kata containers to run encrypted containers, ideal for cloud environments. This ensures tenant data remains confidential, even from cloud providers.
Confidential Computing Storage Service
Technical Framework
Our solution integrates confidential computing with a proxy gateway. It places an encryption module between applications and databases (or file systems), intercepting and encrypting sensitive data based on predefined policies. The framework consists of two modules:
Front-end Encryption Module:
- Encryption Proxy: Intercepts and parses data packets, applies encryption policies, and forwards data.
- Cryptographic Module: Encrypts/decrypts data using national cryptographic algorithms.
Management Platform:
- Policy Management: Allows customized encryption policies per database, table, or field.
- Key Management: Handles key generation, storage, distribution, and rotation.
Key Features
To enhance usability and compatibility, our service includes:
- Encryption Policy Configuration:
Policies can be set manually via a management interface or automatically via DDL statement interception. Fields can be tagged for encryption directly in database schema comments. - Key Rotation:
Supports seamless key updates with a dual-key transition phase. Old data can be re-encrypted in the background without service disruption. - Fuzzy Search:
Allows partial matching on encrypted data by using deterministic encryption techniques. Data is split, encrypted, and reassembled to enable predefined query patterns. - Confidential Containers:
Combines CSV VMs with Kata containers for seamless integration into existing container orchestration systems. Applications run inside encrypted environments without modification.
Technical Highlights
- Hardware-Based Security:
All cryptographic operations and keys remain inside TEEs, reducing exposure risks. - Transparent Proxy Architecture:
Decouples encryption from application logic. No code changes are required—only a connection redirect to the encryption proxy.
Practical Application and Performance
Pilot Implementation
We deployed the confidential computing storage service in a pilot environment. Applications connected to the encryption proxy instead of directly to the database. After configuring encryption policies, sensitive fields were automatically encrypted without code changes.
The service demonstrated high compatibility, scalability, and ease of use. Encryption was applied at the field level, providing fine-grained security.
Performance Analysis
We tested the service using SM4 encryption on an 18-field table, encrypting 1–4 fields. The front-end module was deployed in both ordinary and confidential computing environments.
Test Setup:
- Database: 4 vCPU, 16 GB RAM
- Encryption Module: 2–6 vCPU, 8 GB RAM
- Client: 2 vCPU, 8 GB RAM, using sysbench for load testing
Results:
- In a confidential computing environment with 2 vCPUs, encrypting one field achieved ~2330 TPS (6990 QPS).
- Performance scaled with resources: 4 vCPUs reached 4369 TPS.
- The overhead of confidential computing was under 20%, decreasing to under 3% with 6 vCPUs.
These results confirm that the service meets most application requirements while adding robust security.
Conclusion and Future Outlook
Confidential computing provides a practical solution for secure financial data storage. It combines strong encryption with minimal application改造, making it ideal for sensitive environments.
Looking ahead, financial institutions can extend this approach to create fully encrypted data pipelines—integrating confidential computing with secure multi-party computation and other privacy-enhancing technologies. This will enable safer data sharing and analytics, fostering innovation while ensuring compliance.
👉 Explore advanced data security strategies
Frequently Asked Questions
What is confidential computing?
Confidential computing uses hardware-based TEEs to protect data during processing. It encrypts memory and isolates applications, preventing unauthorized access even from privileged users.
How does it improve data storage security?
By encrypting data before it reaches the database and performing all cryptographic operations inside TEEs, it reduces exposure risks. Keys and sensitive operations never leave secured environments.
Is application code modification required?
No. Our proxy-based architecture allows applications to connect without changes. Encryption policies are applied transparently at the network level.
What performance impact should I expect?
Overhead is typically under 20% and can be reduced by scaling resources. For most use cases, the trade-off between security and performance is justified.
Can encrypted data be searched or queried?
Yes, through techniques like deterministic encryption and tokenization. These allow certain operations without decrypting the entire dataset.
Is this solution compliant with financial regulations?
Yes. It aligns with PBOC requirements for encryption and data security, supporting national cryptographic algorithms and fine-grained protection.