hardware-verified trust
across your entire stack

Run with

certainty.

people Users, groups and organisations. Identity bound to hardware, not passwords.
infrastructure Devices, networks and servers. Identity proven in hardware, not software credentials.
software Artifacts, pipelines and workloads. Sealed from build to deployment.
ops Admins, orchestrators and control planes. Privileged access proven in hardware.
get started about eCora
eCora — deployments
workspace
images 3
deployments
attestations
customers
Acme Corp
Meridian
Northlight
add customer
sealed images
inference-v3.2
sealed
deployed to 2 customers
updated 2h ago
attestation valid · SEV enclave
deploy to customer
classifier-v1.8
sealing…
target: Acme Corp
started 4m ago
encrypting workload73%
100%
IP retained
3
live enclaves
0
inspection attempts
the problem

Software identity can be faked. Hardware cannot.

Credentials get stolen. Certificates get forged. Tokens get replayed. Every layer of a modern stack relies on assertions that can be impersonated — because identity is software all the way down.

Software Identity Is Stolen
Credentials authenticate access
Stolen credentials are indistinguishable from real ones
No Proof of What's Running
Workloads deployed as expected
No way to prove code wasn't tampered with
Privileged Access Is a Single Point of Failure
Access controls limit most users
One compromised admin bypasses every other control
Software can claim to be anything. Every credential, certificate, and token in your stack is an assertion — not proof. Hardware changes that.
the platform

Hardware identity for every layer of your environment.

eCora applies hardware-backed identity and attestation across your runtime stack. Currently covering users, workloads, network endpoints, devices, servers, groups, organisations, CI/CD pipelines, artifacts, privileged administrators, orchestrators, and control planes — with coverage expanding to more components as the platform grows. Every entity proves what it is using hardware, before any trust is extended to it.

People
Users · Groups · Organisations
FIDO2 · TPM · Hardware-rooted identity hierarchy
Every person, group, and organisation is bound to hardware. Users authenticate with a physical token — no password or session credential can substitute. Group membership and organisational provenance are attested in hardware, not asserted in a policy engine that can be bypassed.
Infrastructure
Devices · Servers · Network Endpoints
TPM 2.0 · Measured boot · Signed connection negotiation
Devices, servers, and network endpoints prove their identity in hardware before any trust is extended to them. Device identity is tied to the TPM chip. Servers attest their firmware and configuration at boot. Every network handshake is signed by the endpoint's TPM — a stolen credential cannot replicate it.
Software
Workloads · CI/CD Pipelines · Artifacts
TEE · Intel TDX · AMD SEV-SNP · TPM · Hardware-attested provenance
From build to deployment, every stage is hardware-verified. CI/CD pipelines attest the build environment before any step executes. Artifacts carry cryptographic proof of where they were built. Workloads run sealed inside CPU-encrypted enclaves — the host OS sees only ciphertext.
Ops
Privileged Administrators · Orchestrators · Control Planes
FIDO2 · TPM · Attested orchestrator identity
The systems with the most privileged access are the highest-value targets. Administrators require hardware tokens — stolen credentials alone are never enough. Orchestrators and control planes are attested before they can issue commands or push policy — a compromised control plane that fails attestation is refused.
how it works

From your build pipeline to a running enclave.

publisher
01
configure
Set up your customers and billing
Configure your customer accounts and billing profile. eCora handles metering and entitlement automatically — set your pricing model once and it applies across every customer and environment you deploy to.
02
seal & list
Locally seal and deliver to customers
Run the eCora CLI to seal your container image on your own machine. Every layer is encrypted with hardware-bound keys before anything leaves your environment. The sealed image is delivered to your customers — they run it just like any other container, with no special tooling required.
03
manage
Control access from your dashboard
See which customers run which versions. Update, rotate, or revoke access instantly — without redeployment or support tickets.
subscriber
01
pull
Pull the sealed image to your registry
Receive the sealed container image from your publisher and pull it into your registry. It works with any standard container toolchain — Docker, containerd, Kubernetes — no special client required.
02
run
Deploy it — it starts sealed automatically
Launch the container as normal. eCora detects the hardware environment and starts the workload inside a CPU-verified enclave. No agents, no kernel modules, no configuration overhead on your side.
03
verify
Get cryptographic proof of integrity
Receive hardware-signed attestation that the software is genuine and unmodified. A trust signal for your security team, auditors, and compliance requirements.
inside the enclave

What's Actually Happening at Runtime

CPU-Level Memory Encryption
Intel TDX, AMD SEV, or ARM TrustZone encrypts all application memory at the CPU level. Even the hypervisor, admin, or root cannot read encrypted pages.
technical details
Encryption: AES-128-XEX (hardware accelerated) · Key storage: On-die CPU memory encryption key (MEK) · Isolation: Hardware-enforced page access controls · Performance: Zero-copy via CPU extensions
Hardware Root of Trust
TPM 2.0 seals encryption keys to specific hardware and boot measurements. Keys only unlock in verified secure environments — never exposed, even to eCora.
technical details
Key derivation: TPM2_Create with PCR policy · Sealing: Bound to PCR banks 0, 1, 2, 3, 7 · Unsealing: Requires matching PCR values · Storage: Never leaves TPM hardware
Secure Network Proxy
All I/O passes through eCora's proxy inside the enclave. Inbound requests verified, outbound data encrypted, all traffic logged with cryptographic signatures.
technical details
TLS 1.3 termination inside enclave · Mutual TLS for service-to-service · Rate limiting and DDoS protection · Zero-trust network policies
Immutable Audit Logging
Every action logged with cryptographic signatures. Logs form a tamper-evident chain — impossible to modify or delete, even by administrators.
technical details
Hashing: SHA-256 chain (each entry references previous) · Signing: ECDSA P-256 signatures from TEE · Storage: Append-only with Merkle tree verification · Compliance: SOC 2, HIPAA, PCI-DSS ready
compatibility

One Platform. Every Environment.

Deployment Types
  • Containerised workloads
  • Legacy applications
  • AI and ML systems
  • Data pipelines
  • Web services and APIs
  • Microservices
Environments
  • AWS
  • Azure
  • GCP
  • On-premise
  • Edge
  • Hybrid and multi-cloud
Hardware Support
  • Intel TDX
  • AMD SEV-SNP
  • ARM TrustZone / CCA
  • TPM 2.0 (discrete or firmware)
  • Hardware Security Modules (HSMs)
  • Future TEE architectures
competitive landscape

What Every Alternative Misses

Every competing approach covers one entity type, stays in software, or accepts cloud lock-in. eCora is the only platform that delivers hardware-rooted identity across people, infrastructure, software, and ops — from a single control plane, across any environment.

Capability
Software Zero Trust
DIY Confidential Computing
Workload-Only Platforms
eCora
Hardware-rooted identity
No — software-asserted only
Workloads only (TEE)
Workloads only (TEE)
Full stack — people, infrastructure, software, and ops
Runtime stack coverage
Software credentials only
Workloads only
Workloads only
People, infrastructure, software, and ops — expanding
Code Changes Required
Moderate — agent/SDK integration
Extensive — rewrite for enclave
Moderate — API integration
None — wrap existing binaries
TPM + TEE hardware root
No — policy and cert based
TEE only — no TPM integration
TEE only — no TPM integration
TPM + TEE across all entity types
Compliance Automation
Partial — policy logs
Manual audits and reports
Partial automation
Cryptographic proof — hardware-signed
AI Model Protection
Models exposed in memory
Possible — requires model rewrite
Limited framework support
Any model, any framework — in TEE
The bottom line: software can claim to be anything. Hardware cannot lie. eCora is the only platform that roots identity across people, infrastructure, software, and ops in hardware — with zero code changes and a single control plane.

Ready to run with certainty?

Join the private beta. We review every request personally and will be in touch within two business days.

get started about eCora