That's just not possible. It's why detractors never got on board with the Cloud. Until FHE is feasible, the decryption keys and plaintext have to exists in RAM eventually at some point in order even if only took be re-encrypted, if any complex work is to be done on it. Because eg, Amazon, has access to your hardware, there's simply no way to prevent them from reading your secrets out of your VM that's using their RAM.

Absolutely do what you can, but understand that it's futile to defend against your own cloud provider.

▲

Agingcoder 4 hours ago | parent [-]

Ok I thought that was the whole point of things like Intel TDX , AMD SEV and various enclave mechanisms which provide full ram encryption and attestation ?

The only issue left would be managed services though, which then I wouldn’t use, but I’d be able to run my own postgre safely on infra I’m renting.

	▲	fragmede 21 minutes ago \| parent [-]
		Supposedly, yes, but in a world that was caught flat footed with RowHammer, Spectre, and Meltdown; if I wouldn't trust those with a lot of other people's lives within a shared Cloud environment. Intel's SGX has been broken a number of times and that should be harder to break than TDX. Like I said in my original comment though, do all the things. But if you find yourself relying on TDX to protect live(s), please pay a computer security professional to audit your security and do a threat assessment.