Skip to content
SAP

TEE for Agent Identity

The Problem

Section titled “The Problem”

Agent identity keys stored on standard hosts are vulnerable to:

  • Host OS compromise
  • Admin access abuse
  • Memory inspection attacks

The Solution: TEE-Backed Key Custody

Section titled “The Solution: TEE-Backed Key Custody”

Trusted Execution Environments (SGX, Nitro Enclaves) provide:

  • Hardware-isolated memory — OS/hypervisor cannot read
  • Remote attestation — Prove what code is running
  • Sealed storage — Keys encrypted to specific workloads

Architecture Vision

Section titled “Architecture Vision”
┌────────────────────┐          ┌─────────────────────┐
│  Agent Runtime     │   RPC    │  TEE: Identity      │
│  (untrusted)       │─────────▶│  Sentinel Service   │
│                    │          │                     │
│  • Planner         │          │  • Master Key       │
│  • Tools           │          │  • Sign/verify      │
│  • UI              │          │  • Policy eval      │
└────────────────────┘          └─────────────────────┘

Implementation Path

Section titled “Implementation Path”
  1. Phase A: AWS Nitro Enclaves + KMS attestation
  2. Phase B: Multi-TEE abstraction layer
  3. Phase C: Attested capability tokens for tools

Key Insight

Section titled “Key Insight”

TEEs protect key custody and provide attestation, but don’t prevent logical vulnerabilities. They’re risk-reducing, not magic.

Research extracted from SAP development notes