No key to steal | No administrator to override

Hardware-bound data sovereignty.

A stolen file is cryptographic noise on any machine it wasn't sealed to — the key is derived from the hardware, never stored.

Graphics card blueprint
02Model Weight Protection

Seal model weights to attested silicon, so a stolen checkpoint is noise off the approved GPU.

At rest01
Sealed checkpoint
ciphertext · noise off the hardware
derive key from GPU measurement
Trust anchor02
Attested GPU
H200 · measurement 42427b9c
decrypt inside VRAM
In use03
VRAM only
plaintext never reaches host RAM

Runs on attested confidential-computing hardware

NVIDIAIntelAMDTPM 2.0
GPU rig
03On-Prem Confidential Compute

Not just weights on the GPU. Data and workloads sealed to the CPU.

Intel TDX and AMD SEV-SNP seal data and workloads to the CPU's
measured boot state, so plaintext never reaches host RAM.

01
Sealed to the measured boot state
Data keys derive from the CPU's attested firmware, kernel, and enclave measurement. Move the disk to another box and the ciphertext is inert.
02
Runs inside a hardware enclave
Workloads execute inside an Intel TDX trust domain or AMD SEV-SNP guest, with memory encrypted by the CPU. The plaintext window closes.
03
Opaque to the host operator
Root, the hypervisor, and the datacenter operator see ciphertext and an attestation handshake, never your data or your model.

CPU confidential computing

IntelTDX
AMDSEV-SNP
Confidential-computing CPU package
04Platform Impact

Built for weights that stay sealed.

We bind attestation, sealing, and key release into one path, so a stolen file stays noise on every machine it was not made for.

The plaintext window, closed

Hardware-derived keys and in-VRAM decryption seal every point weights would otherwise sit in the clear, across the serving path.

SealedAt restCheckpoints live as ciphertext on disk. The file is noise without a hardware-derived key.
SealedIn flightWeights stay encrypted across the CPU-to-GPU bus, so nothing readable crosses the wire.
0 bytesIn host RAMDecryption happens only inside VRAM on the attested GPU. No plaintext ever touches system memory.

Key Release Workflow

Attestation, policy, and release stay visible in one flow, so every deployment proves what it runs before a key is issued.

Release Policy for Acme GPU
Attested: May 14Expires: Jul 24Status: 1 of 6 checks
OverviewInstancesAudit
AttestationVerified
Image Match5/9 checks
05Efficiency Metrics

Every decision bound to attested hardware.

We bind sealing, key derivation, and release to a live hardware measurement, so weights decrypt only inside the GPU they were made for. Attestation, image match, and policy stay visible before a single key is ever issued.

Plaintext in host RAM
0

Weights decrypt only inside VRAM on the attested GPU under Confidential Computing. No plaintext copy ever lands in system memory.

Default key quorum
3-of-5

The root secret splits across five independent nodes. No operator, including us, can derive a key alone; any three must cooperate to unlock it.

Attestation chain
P-384

Every GPU is verified against NVIDIA's P-384 certificate chain. A mismatch between claimed and measured state aborts before a byte decrypts.

The Architecture

Seven composable layers, one guarantee.

Decryption becomes a property of measured hardware and elapsed time, not of key possession. Each layer stands on its own; stacked, they leave nothing portable to steal.

  • L1
    GPU Silicon Attestation
    Hardware-rooted trust anchor
  • L2
    TPM2 Boot-Chain Binding
    Keys sealed to an unmodified boot state
  • L3
    Threshold MPC
    No single party holds the root secret
  • L4
    Forward-Secure State Ratchet
    Time-locks enforced by math, not policy
  • L5
    Path ORAM
    Access patterns indistinguishable from random
  • L6
    STARK Zero-Knowledge Proofs
    Prove correctness without revealing anything
  • L7
    Fragment Dependency Topology
    Structure that rewrites itself every epoch
See the Platform