May 18, 2025
Trusted Execution Environments, or TEEs, are one of the most useful security tools available for hosted AI. They matter. We use them for that reason.
They also get overstated constantly.
This post is the narrow version: what NanoGPT TEE models actually give you, what they do not give you, and how to verify the parts that are verifiable.
A TEE can help with:
A TEE does not, by itself, guarantee:
That distinction matters. "TEE-backed" and "fully confidential end-to-end" are not the same thing.
A Trusted Execution Environment is a hardware-isolated execution environment inside a CPU or GPU.
In practice, that usually means:
That is useful because hosted AI normally requires you to trust a large software and infrastructure stack. A TEE reduces that trust surface for the part of the request that is actually processed inside the enclave.
For NanoGPT users, the strongest TEE benefits are:
If the model inference is actually running inside a TEE, the host OS and ordinary admin access are much less useful for inspecting what is happening inside that measured environment.
That is meaningful. It raises the bar.
With attestation, you can verify that your request was handled by a specific measured environment rather than just taking the provider's word for it.
For some provider paths, you can also verify a signature tied to the completion itself.
Without a TEE, the default trust boundary is often "trust the whole provider stack." With a TEE, the trust boundary can be narrowed to "trust the attested enclave and the parts of the path outside it that still matter."
That is an improvement, even when it is not the same thing as end-to-end confidentiality.
This is the part people usually skip.
Standard HTTPS terminates somewhere. Whether that termination point is itself protected by the TEE path depends on the provider architecture.
So if you care about prompt confidentiality, you need to ask:
If a request goes through middleware, observability tooling, retry infrastructure, or a provider router before it reaches the enclave, those layers matter too.
TEE does not magically erase the rest of the pipeline.
Even if the prompt body is well-protected, metadata and account-level context can still matter:
If you put sensitive information directly into the prompt, a TEE does not make that risk vanish.
Here is the practical comparison:
| Approach | Data in transit | Data in use | Integrity / attestation | Real-time practicality |
|---|---|---|---|---|
| Plain hosted inference | Usually yes | Weak | Weak | High |
| TEE-backed inference | Usually yes | Stronger | Stronger | High |
| End-to-end encrypted enclave path | Strongest | Stronger | Stronger | Provider-specific |
| Local models | You control it | You control it | You control it | Depends on hardware |
For most hosted AI use cases, TEEs are one of the few options that improve security without destroying latency.
That still does not mean every TEE deployment has the same confidentiality properties.
TEE-backed models are exposed with the TEE/ prefix.
Example:
curl -X POST https://nano-gpt.com/api/v1/chat/completions \
-H "Authorization: Bearer <YOUR_API_KEY>" \
-H "Content-Type: application/json" \
-d '{
"model": "TEE/qwen-2.5-7b-instruct",
"messages": [
{ "role": "user", "content": "Reply with exactly hello" }
]
}'
The verification story is provider-specific.
You can request attestation with:
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
"https://nano-gpt.com/api/v1/tee/attestation?model=TEE/llama3-3-70b"
Important caveat:
So treat attestation support as model- and provider-specific, not a universal property.
Some RedPill-backed TEE paths expose a signature endpoint for the completion:
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
"https://nano-gpt.com/api/v1/tee/signature/<COMPLETION_ID>?model=TEE/qwen-2.5-7b-instruct"
The important detail is the identifier:
idX-TEE-Signature-ID header when presentX-Request-IDNanoGPT non-stream TEE responses now expose:
X-TEE-Completion-IDX-TEE-Signature-AvailableX-TEE-Signature-ID for supported RedPill-backed TEE modelsThat makes it easier to carry the correct identifier into verification tooling.
At a high level:
The defensible claim is:
NanoGPT TEE models improve integrity and data-in-use protection, and may improve confidentiality depending on the provider path.
The claim we do not want to make is:
TEE means the provider stack can never see your prompts.
That second statement is too broad.
TEE-backed models make sense when you want:
They make less sense if your requirement is:
For that threat model, local models or infrastructure you control more directly are still the strongest option.
Not automatically. It improves the data-in-use and integrity story, but the full confidentiality story still depends on transport, gateways, logging, and provider architecture.
Yes. "Not perfect" is not the same thing as "worthless." TEEs can materially improve the security posture of hosted inference.
At minimum:
Say that TEE improves integrity and data-in-use protection, and be explicit that transport and confidentiality guarantees are provider-specific.
TEE is useful. It is not magic.
If you want a hosted option that improves over ordinary provider trust, TEE-backed models are a real step forward.
If you want guarantees stronger than that, you need to look closely at the provider transport path, the verification surface, and in some cases whether hosted inference is the right trust model at all.
