Research Finder
Find by Keyword
Is your private AI data truly safe on bare-metal servers?
Red Hat launches OpenShift Sandboxed Containers 1.12 and Trustee 1.1 to secure data in use through hardware-level isolation and remote attestation.
04/15/2026
Key Highlights
- OpenShift Sandboxed Containers 1.12 brings production-grade confidential computing to bare-metal infrastructure.
- The release adds support for encrypted persistent block volumes that remain encrypted within the Trusted Execution Environment.
- The Red Hat build of Trustee 1.1 simplifies remote attestation through a new automated configuration resource.
- Pre-built boot images eliminate the risks associated with runtime builds of the initial RAM file system.
The News
Red Hat has released OpenShift Sandboxed Containers 1.12 and the Red Hat build of Trustee 1.1 to fortify its confidential computing portfolio. These updates are architected to protect sensitive information during active processing on bare-metal servers and in hybrid cloud environments. The release focuses on securing the lifecycle of AI models by utilizing hardware-based encryption and more streamlined attestation protocols. Find out more by clicking here to read the announcement blog.
Analyst Take
We see a persistent anxiety among enterprises regarding the safety of their most sensitive intellectual property when it leaves the controlled perimeter of a private data center. While encrypting data at rest and in transit has become a standard practice, protecting data while it is actively being processed has remained a significant technical challenge. Red Hat is attempting to solve this by bringing confidential computing to the forefront of its OpenShift platform.
It is a pragmatic response to the reality that as AI models become the crown jewels of a business, the underlying infrastructure must be viewed as inherently untrustworthy until proven otherwise. We see this move as an effort to democratize high-security environments that were previously the sole domain of specialized public cloud instances. It is about moving the perimeter from the network edge down into the very silicon of the processor. This is clever stuff.
Red Hat is significantly advancing the landscape of Confidential AI by transitioning confidential computing from a technology preview to general availability on bare-metal systems. This move is particularly vital for organizations that require maximum hardware performance but are unwilling to settle for the overhead associated with virtualized hyperscaler enclaves. By integrating support for Intel TDX and AMD SEV-SNP, Red Hat neutralizes the malicious host threat vector. This architecture ensures that even platform administrators or compromised hypervisors cannot peer into sensitive model weights, fundamentally treating the underlying infrastructure as a zero-trust environment.
The scope of this security extends beyond the CPU with a critical technical preview of hardware-based Trusted Execution Environment (TEE) protections for NVIDIA GPUs. This ensures that sensitive data remains fully encrypted even during the intensive parallel processing required for large language model inference. To make these advanced protections accessible, the shift toward TrusteeConfig automation aims to lower the complexity tax that has prevented DevOps teams from adopting the remote attestation protocols necessary for hardware-level encryption to be effective.
Red Hat is reinforcing the entire AI supply chain by integrating model-signing and provenance tracking into these updates. This comprehensive approach ensures that any AI model loaded into a secure sandbox has not been tampered with or poisoned prior to reaching the trusted execution environment. By combining hardware-rooted security with simplified operational workflows, Red Hat is providing a robust framework for securing the most sensitive intellectual property throughout the entire AI lifecycle.
What Was Announced
The technical core of this release involves several specific features designed to create a more secure perimeter around containerized applications. Red Hat OpenShift Sandboxed Containers 1.12 is built upon the Kata Containers project, which uses a lightweight virtual machine to isolate containers from the host kernel. This version extends capabilities to bare-metal nodes, meaning organizations do not have to sacrifice the performance of direct hardware access to gain the security of virtualization. It is specifically designed to support AMD SEV-SNP and Intel TDX. These hardware features aim to encrypt the memory of the virtual machine so that even the host operating system or a hypervisor cannot peer into the data.
In this update, the support for encrypted persistent volumes on bare metal is particularly noteworthy. It is designed to enable block volumes to be encrypted, decrypted, and mounted directly within the TEE. This ensures that the data remains protected throughout its entire lifecycle; it never appears in plain text on the worker node. Moreover, the release introduces pre-built initial RAM file system images. These images provide known measurement hashes that the hardware evaluates before booting. This aims to deliver a more secure chain of trust by eliminating the need for runtime builds that could be compromised.
Complementing this is the Red Hat build of Trustee 1.1, which serves as an attestation and key management service. Trustee is architected to perform remote attestation, a process where the system verifies the integrity of the hardware and software stack before any secrets are released to the workload. The 1.1 release is designed to simplify deployment through a new TrusteeConfig custom resource.
This feature automatically generates required secrets and configuration maps, which reduces the manual effort previously required. It also includes profile-based configurations, offering a restricted profile for production-grade security and a permissive profile for development. The update also includes native support for IBM Secure Execution and disconnected, air-gapped environments.
We find the focus on bare metal to be the right move. For a long time, confidential computing was something you rented from a hyperscaler. By bringing these capabilities to bare-metal OpenShift, Red Hat is acknowledging that many high-performance AI tasks need to run directly on the hardware to avoid the overhead of traditional virtualization layers.
This is a bit of a balancing act; providing isolation without killing the performance that makes AI viable in the first place. The inclusion of Trustee is also vital. In our view, confidential computing is essentially useless without a robust attestation mechanism. If you cannot prove the hardware is secure, the encryption is just a false sense of security.
The strategy here is not just about security for the sake of it; it is about enabling AI in places it could not go before. Regulated industries like banking or healthcare have been hesitant to put their most sensitive data into a shared container environment. By using hardware-level sandboxing, Red Hat aims to deliver a platform where these organizations can run their models with the assurance that their data is isolated from other tenants and even from the platform administrators.
We also see this as a play for the edge. In an edge computing scenario, where physical security of the hardware might be lacking, having a hardware-rooted trust system becomes a necessity rather than a luxury. It is a solid piece of engineering that addresses a very specific, growing pain in the modern enterprise. We note that this approach avoids the pitfalls of proprietary silos by sticking to open-source foundations like Kata and Keylime. This transparency is likely to appeal to the very security-conscious audience Red Hat is targeting.
Looking Ahead
Based on what we are observing, the convergence of hardware-based security and container orchestration is becoming a mandatory requirement for the next phase of enterprise AI adoption. The Confidential Computing Consortium highlights that 2026 marks a shift from experimental pilots to full-scale production deployments. We see this Red Hat update as a necessary fortification of the OpenShift ecosystem to prevent it from being sidelined by specialized secure cloud offerings from niche competitors or the proprietary enclaves of hyperscalers.
The key trend that we are going to be looking out for is how well Red Hat can simplify the complexity of attestation for the average developer. While the engineering is impressive, the operational burden of managing keys and attestation policies can be a deterrent. Bain has noted that the complexity of implementation is often the primary hurdle for new security paradigms; therefore, the success of Trustee will depend on its ease of integration into existing DevOps workflows.
Going forward, we are going to be closely monitoring how Red Hat performs in expanding its ecosystem of hardware partners, particularly as new AI-specific accelerators from NVIDIA and others enter the market. When you look at the market as a whole, the announcement places Red Hat in direct competition with the native confidential offerings of AWS and Azure, yet its platform-agnostic approach provides a distinct advantage for hybrid deployments.
HyperFRAME will be tracking how the company does in maintaining performance parity while these extra layers of security are enabled in future quarters. Our perspective is that confidential computing will soon cease to be an optional feature and will simply become the default way we handle data in the cloud. We expect a tectonic shift where the underlying silicon becomes the ultimate arbiter of trust in the global compute supply chain.
Ron Westfall | VP and Practice Leader for Infrastructure and Networking
Ron Westfall is a prominent analyst figure in technology and business transformation. Recognized as a Top 20 Analyst by AR Insights and a Tech Target contributor, his insights are featured in major media such as CNBC, Schwab Network, and NMG Media.
His expertise covers transformative fields such as Hybrid Cloud, AI Networking, Security Infrastructure, Edge Cloud Computing, Wireline/Wireless Connectivity, and 5G-IoT. Ron bridges the gap between C-suite strategic goals and the practical needs of end users and partners, driving technology ROI for leading organizations.
Share
Steven Dickens | CEO HyperFRAME Research
Regarded as a luminary at the intersection of technology and business transformation, Steven Dickens is the CEO and Principal Analyst at HyperFRAME Research.
Ranked consistently among the Top 10 Analysts by AR Insights and a contributor to Forbes, Steven's expert perspectives are sought after by tier one media outlets such as The Wall Street Journal and CNBC, and he is a regular on TV networks including the Schwab Network and Bloomberg.