ECS provides layered security protection, including hardware encryption, trusted computing, and confidential computing.
Overview
ECS provides default memory encryption, trusted computing (vTPM), and confidential computing (Confidential VMs and enclaves).
Default memory encryption: Protects in-memory data from physical attacks with no changes to your OS or applications. Supported by default on instance families such as g8i general-purpose, c8i compute-optimized, and r8i memory-optimized.
Trusted computing: Trusted instances use a vTPM as the root of trust to enable trusted boot and verify core components during startup, ensuring they have not been tampered with.
Confidential computing: Uses CPU hardware encryption and isolation to provide a trusted execution environment (TEE) that protects data from unauthorized modification. Features such as remote attestation verify the integrity of the cloud platform and your instances.
Enclave security: Based on Intel Software Guard Extensions (Intel SGX) 2.0 and Alibaba Cloud virtualization enclaves, this capability reduces the Trusted Computing Base (TCB) and minimizes the attack surface. See Build an SGX confidential computing environment and Build an enclave confidential computing environment.
Confidential VM security: Run sensitive workloads encrypted during processing with no code changes. Confidential VMs are based on Intel Trust Domain Extensions (Intel TDX). See Build a TDX confidential computing environment.
Alibaba Cloud deploys the Ali-PRoT (Platform Root-of-Trust) hardware security chip on ECS hosts. This chip secures underlying hardware and firmware without extra configuration. Core capabilities include:
Proactive firmware measurement: Before host startup, Ali-PRoT verifies firmware integrity (such as BIOS and BMC). Unlike traditional passive recording methods, Ali-PRoT proactively detects and blocks potential threats before the firmware executes. Only verified servers can start.
Runtime tamper-proofing: Ali-PRoT continuously monitors firmware reads and writes at runtime and blocks unauthorized access and modifications in real time.
Hardware identity authentication: Ali-PRoT authenticates physical servers through the chip's unique hardware identity and the cloud platform's security control system, preventing unauthorized devices from accessing the platform.