Enclave: A Privacy-First AI Agent Platform Based on Trusted Execution Environment

Enclave is a privacy-first AI agent platform that fully places LLM inference and tool execution within a Trusted Execution Environment (TEE), aiming to address data privacy pain points in AI agent applications. It uses cryptographic proof to ensure that user data, prompts, and task contexts do not leave the secure enclave in plaintext. The core technology is based on TEE implementations like AWS Nitro Enclave. The project is maintained by hackingsage, with source code available on GitHub (link: https://github.com/hackingsage/Agentic-AI-TEE), and was released on May 25, 2026.

With the enhancement of LLM capabilities, AI agents are becoming practical, but data privacy issues are prominent—user data, prompts, etc., may be leaked. TEE is a hardware-level security isolation technology that creates an execution environment isolated from the main system, which cannot be monitored by administrators or cloud service providers. AWS Nitro Enclave is a commonly used TEE implementation, which creates isolated instances through hardware virtualization, with no persistent storage, interactive login, or network interfaces, and only communicates via local sockets to reduce the attack surface.

Enclave adopts a layered architecture, divided into four parts:

1. User Interaction Layer: Based on Next.js frontend, with WebAuthn authentication, receiving tasks and passing them securely.
2. Gateway Layer: Runs on EC2 instances, built with FastAPI, responsible for task queues, SSE responses, authentication and authorization, and audit logs, processing only encrypted data.
3. Secure Enclave (Inside TEE): The core part, including the AI agent controller (planner, executor, memory manager, tool router), where all LLM calls are completed.
4. Privacy Proxy Layer: Written in Go, rotating API keys, stripping metadata, filling virtual requests, and obfuscating traffic.

Enclave ensures privacy through the following mechanisms:

1. TEE-enforced Inference Isolation: LLM calls are initiated within the TEE, and the host cannot observe plaintext.
2. Verifiable Proof Receipts: A signed report is generated upon task completion, including code version, enclave ID, and data integrity check, supporting third-party audits.
3. Zero Training Data Leakage: The privacy proxy strips metadata and rotates API keys regularly.
4. Sealed Memory Protection: Agent states are encrypted with TEE-exclusive keys derived from PCR; if the environment is tampered with, access is lost.
5. Task Integrity Check: Records the SHA3-256 hash of prompts and outputs to ensure end-to-end integrity.

Enclave's tech stack:

• Cryptography: Ed25519 signature, XSalsa20-Poly1305 symmetric encryption, Curve25519 key exchange, HKDF-SHA256 key derivation, AWS Nitro proof documents (COSE_Sign1+CBOR), SHA3-256 integrity check.
• Development Languages: Python3.12+ (asynchronous programming), Go1.22+ (privacy proxy layer).

Application Scenarios: Enterprise sensitive data processing (finance, contracts), healthcare (HIPAA compliance), financial transaction analysis (trade secrets), government and defense (classified information). Threat Model Mitigation:

• Curious cloud service providers: TEE isolation prevents data monitoring;
• Compromised host: Only encrypted data is visible;
• LLM providers: Privacy proxy strips metadata and rotates keys;
• Network eavesdropping: Mutual TLS encryption;
• Malicious LLM responses: Sandbox execution + JSON Schema validation.

North Star Test: If Anthropic, AWS, or government subpoenas require logs, memory, and traffic, only encrypted blocks, metadata-free API calls, and valid code proofs can be seen—no useful information. Conclusion: Enclave combines TEE and AI agents to build a privacy-first intelligent system, which is an exploration of the AI privacy protection paradigm and will play an important role in enterprise-level AI applications.