Using cloud-based applications comes with privacy implications, as the end-user looses control over their data. While encrypting all data on the client is possible, it largely reduces the usefulness of database management systems (DBMS) that are typically built to efficiently query large quantities of data. We present BlindexTEE, a new component that sits between the application business-logic and the database. BlindexTEE is shielded from malicious users or compromised environments by executing inside an SEV-SNP confidential VM, AMD's trusted execution environment (TEE). BlindexTEE is in charge of end-to-end encryption of user data while preserving the ability of the DBMS to efficiently filter data. By decrypting and re-encrypting data, it builds blind indices, used later on to efficiently query the DBMS. We demonstrate the practicality of BlindexTEE with MySQL in several micro- and macro-benchmarks, achieving overheads between 36.1% and 462% over direct database access depending on the usage scenario.
翻译:暂无翻译