Enhance workload security with confidential containers on Azure Red Hat OpenShift

As organizations continue to accelerate digital transformation in the cloud, customers are looking for ways to enhance safeguards for sensitive workloads, especially those in highly regulated industries. As such, confidential computing has become an increasingly prominent way to protect workloads by providing an isolated, hardware-encrypted environment based on a zero-trust security model.

To help address this need, we are pleased to announce the general availability of confidential containers on Microsoft Azure Red Hat OpenShift, expected to be delivered in the coming weeks. This feature gives organizations more control over their hardware and infrastructure for their most sensitive applications, in addition to the built-in security features of the platform. The feature is available beginning with Azure Red Hat OpenShift version 4.15 and newer.

Azure Red Hat OpenShift provides a fully managed, application platform that is jointly operated and supported by Red Hat and Microsoft. It’s designed to build, deploy and manage applications at scale with built-in security features and compliance to support ongoing needs of organizations, especially those in highly regulated industries.

Enhanced security for sensitive workloads

The foundation of confidential computing lies in the ability to deploy containers in a Trusted Execution Environment (TEEs). TEEs provide an isolated area of the CPU using encryption which protects the container, code and data for unauthorized access, including access from cloud providers, cluster administrators and site reliability engineers (SREs).

By providing hardware-level encryption and isolation, confidential containers reduce the potential attack surface for highly sensitive containerized applications. This layer of isolation provides enhanced security, especially for organizations needing to adhere to stringent security and compliance requirements, handling personally identifiable information.

Remote attestation: Establish a foundation of trust

Before any container image is run or secrets are delivered, remote attestation verifies the integrity of the confidential computing environment. This process confirms that the underlying TEE, where the workload will run, has not been tampered with and is running the expected configuration. This verification is crucial for determining whether an environment is verifiably secure before any secrets or critical workloads are deployed.

Enhanced data protection and privacy

Confidential containers enhance data protection by providing encrypted memory enclaves within the TEE. Not only is data protected at rest (storage) or in transit (network), confidential containers also encrypt data in use—while it is actively being processed by the CPU.

Zero-trust security: Mitigating risk from unauthorized access

By using a zero-trust security approach, confidential containers help mitigate risk from unauthorized access. This means that access to the container's contents is strictly limited, even from cloud operators, cluster administrators, and SREs who manage the host system.

Learn more at Microsoft Ignite 2025

Confidential Containers on Azure Red Hat OpenShift will be featured during a lightning talk in the Red Hat booth at Microsoft Ignite 2025 in San Francisco. Attendees can learn more about how confidential computing helps strengthen data protection and compliance across hybrid environments.

To learn more about confidential containers on Azure Red Hat OpenShift, read the full documentation and try out the interactive experience:

• Azure Red Hat OpenShift Product Page
• Interactive experience: Confidential Containers on Azure Red Hat OpenShift

About the author