Confidential Computing for AI Training: How to Protect Models and Data on Bare Metal

Training AI models often involves sensitive data and valuable intellectual property. Whether you’re building proprietary machine learning models or analyzing confidential datasets, keeping that information secure throughout the training process is essential. Confidential computing protects data at every stage—when stored, in transit, and during processing.

This post explores how you can use confidential computing—specifically Intel TDX and bare metal infrastructure—to secure AI training workloads. If you already know the basics, check out OpenMetal’s blog on practical deployments or on balancing security and speed.

Why AI Models and Training Data Need Protection

AI models are incredibly valuable—often reflecting years of development and unique intellectual property. When businesses train these models, they often rely on proprietary data that might include sensitive personal information, competitive insights, or financial details. This type of data attracts attackers, which is why teams must protect it throughout the entire AI lifecycle.

Even if encryption is used during storage or transmission, a major gap remains: what happens when the data is being processed? In traditional virtualized environments, it’s possible for insiders or misconfigured systems to expose active memory. That’s where confidential computing plays a key role—protecting the training process itself.

How Confidential Computing Helps

Confidential computing creates a trusted execution environment (TEE) around the workload. This isolates it from the rest of the system—even the hypervisor and root users. With Intel TDX, which is supported by OpenMetal’s infrastructure, you can run secure virtual machines that shield your AI models and data while in use.

This is especially important for training large language models, recommendation systems, or predictive algorithms that rely on confidential or high-value data. By using TEEs, organizations gain confidence that the data will remain protected throughout the process—even if they’re deploying in a shared or multi-tenant environment.

What You Need for Confidential Computing in AI Training

To successfully run confidential computing workloads for AI training, your infrastructure must meet several key requirements—starting with the right hardware. At the foundation are Intel 5th Gen Xeon CPUs with Intel Trust Domain Extensions (TDX). These processors enable hardware-based memory encryption and ensure that sensitive data used in training models stays protected, even while in use.

At OpenMetal, both our XL V4 and XXL V4 bare metal servers are equipped with TDX-capable CPUs. This gives you the ability to isolate memory and workloads at the hardware level, which is essential for truly confidential computing environments.

Once you have the hardware in place, you’ll need a way to create secure virtual machines. Using hypervisors like KVM or QEMU, which are compatible with Intel TDX, you can launch TDX-enabled VMs that keep data fully isolated from the host system and other tenants.

AI workloads also generate and process huge volumes of data, so fast, secure storage is a must. With encrypted NVMe storage, OpenMetal ensures your training data stays protected while delivering high-speed performance—even in cases of drive loss or unauthorized access.

For those who require GPU acceleration during training, OpenMetal offers H100 GPUs that can be attached to TDX-enabled virtual machines using PCIe passthrough—but this configuration is available only on the XXL V4 bare metal server. This server provides the right balance of compute power, memory capacity, and hardware support to run both Intel TDX and GPU passthrough simultaneously.

This setup handles demanding AI workloads like deep learning exceptionally well, delivering both security and performance at scale.

Lastly, network isolation is critical—especially for customers dealing with compliance or privacy regulations. OpenMetal provides dedicated VLANs to separate your traffic from other workloads, helping to reduce risk and maintain a clean, segmented network environment.

Example Use Case

An OpenMetal customer in the blockchain space provides a helpful comparison. Their platform manages validator workloads and real-time transaction indexing. While they’re not training AI models, their infrastructure has similar security and performance needs: consistent compute, strict data separation, and hardware-level trust.

They use OpenMetal’s XL V4 servers with Intel TDX to launch secure VMs, isolate data with VLAN segmentation, and use encrypted volumes for sensitive blockchain metadata. The same environment is ideal for AI teams training proprietary models, especially if those models support financial, medical, or compliance-focused products.

Final Thoughts

Confidential computing is no longer experimental—it’s ready for production. If you’re training AI models with proprietary data, using Intel TDX on OpenMetal’s bare metal servers gives you the security and performance you need. If you’re ready to adopt confidential computing for AI training, OpenMetal’s Intel TDX-enabled infrastructure gives you a secure foundation to begin.

Contact us to learn how to start building your confidential AI training environment today.

Read More on the OpenMetal Blog

Why MEV Block Building Infrastructure Is Moving to TDX Bare Metal

The operator trust problem in MEV block building has a hardware solution. This article explains why Intel TDX has become the substrate of choice for confidential block building, and what bare metal adds that cloud TDX doesn’t.

OpenMetal XL v5 vs XL v4 — Same 64 Cores, Different Generation: How to Choose

OpenMetal XL v5 vs XL v4: same 64 cores, but v5 adds 33% memory bandwidth, more PCIe lanes and drive bays, and CPU-side AI; v4 keeps more L3 cache.

What HIPAA Requires from the Infrastructure Running Your Healthcare AI Workloads

Healthcare AI workloads carry the same HIPAA obligations as any system touching PHI. This article covers what the 2026 Security Rule update requires from AI infrastructure, why vector embeddings count as PHI, and how dedicated private cloud simplifies the compliance documentation burden.

How the H200 Is Built for Memory-Bound AI Workloads

The H200 is a memory upgrade on the Hopper architecture, not a new compute platform. This article covers why bandwidth matters as much as VRAM capacity, where the 141GB floor changes what fits on a single GPU, and how the NVL PCIe variant differs from the SXM5 for dedicated private infrastructure.

Why 96GB VRAM Changes the Economics of Private LLM Inference

The RTX PRO 6000’s 96GB VRAM fits 70B models at FP8 on a single card with real KV cache headroom. This article covers what that unlocks, how dedicated fixed-cost GPU infrastructure compares structurally to cloud rental, and where the H200 is the better choice.

OpenMetal GPU Clusters — Dedicated Multi-GPU Infrastructure for AI Training and Inference

OpenMetal GPU clusters: dedicated single-tenant multi-GPU infrastructure. All-RP6000, all-H200, or mixed on a private 40 Gbps mesh, fixed monthly pricing.

When Managed Kubernetes Gets Expensive Enough to Justify Running Your Own

The control plane fee is the smallest part of your managed Kubernetes bill. This article breaks down what EKS, GKE, and AKS actually charge across egress, storage, cross-zone transfer, and multi-cluster overhead, and where self-managed on dedicated bare metal makes the math work better.

What DORA’s ICT Concentration Risk Requirements Mean for EU Financial Infrastructure

DORA has been in force since January 2025, and the third-party ICT risk requirements are where infrastructure decisions land hardest. This article breaks down what Articles 28–30 require, why hyperscaler concentration is now a documented regulatory problem, and how private cloud in the EU changes the risk picture.