BlindexTEE: A Blind Index Approach towards TEE-supported End-to-end Encrypted DBMS

TL;DR

BlindexTEE introduces a TEE-based component that enables end-to-end encrypted database queries with efficient filtering, balancing privacy and performance in cloud environments.

Contribution

It presents BlindexTEE, a novel blind index approach within a TEE that maintains data privacy while supporting efficient database querying.

Findings

Achieves 36.1% to 462% overheads depending on scenario.

Demonstrates practical integration with MySQL.

Balances privacy with query efficiency.

Abstract

Using cloud-based applications comes with privacy implications, as the end-user looses control over their data. While encrypting all data on the client is possible, it largely reduces the usefulness of database management systems (DBMS) that are typically built to efficiently query large quantities of data. We present BlindexTEE, a new component that sits between the application business-logic and the database. BlindexTEE is shielded from malicious users or compromised environments by executing inside an SEV-SNP confidential VM, AMD's trusted execution environment (TEE). BlindexTEE is in charge of end-to-end encryption of user data while preserving the ability of the DBMS to efficiently filter data. By decrypting and re-encrypting data, it builds blind indices, used later on to efficiently query the DBMS. We demonstrate the practicality of BlindexTEE with MySQL in several micro- and macro-benchmarks, achieving overheads between 36.1% and 462% over direct database access depending on the usage scenario.