How to Deploy Confidential Computing Workloads on OpenMetal Infrastructure

Updated on November 6, 2025 by Jen Royle-Jones

How to Deploy Confidential Computing Workloads on OpenMetal Infrastructure

Confidential computing workloads on bare metal is a new approach to protecting sensitive data—not just when it’s stored or transmitted, but while it’s actively being used. With growing security concerns and stricter data regulations, more organizations are asking how to make this a practical part of their infrastructure.

In this blog, we’ll break down how you can use OpenMetal’s bare metal servers to support confidential workloads using Intel TDX. Whether you’re working with protected health data, training machine learning models, or handling financial transactions, OpenMetal gives you the tools and control to keep it secure.

For a broader look at the technology, see our overview on Confidential Computing Benefits and Use Cases.

What You Need for Confidential Computing Workloads

To build a confidential computing environment, you’ll need:

  • Hardware-level security features like Intel TDX (Trust Domain Extensions)
  • Trusted Execution Environments (TEEs) that isolate data in memory
  • Operating systems and hypervisors that support those features
  • Full control over the hardware and how it’s configured

Note: Intel® Software Guard Extensions (SGX), Intel® Trust Domain Extensions (TDX), AMD® SEV, and Arm® TrustZone are examples of hardware-based TEEs.

Why OpenMetal Is a Fit for Confidential Computing Workloads

OpenMetal gives teams the flexibility and access they need to deploy secure workloads:

  • Bare Metal Control: Full access to physical servers without shared tenants
  • Intel 5th Gen CPUs with TDX: Available on our Medium V4, Large V4, XL V4, and XXL V4 bare metal configurations. You can also add H100 GPUs to XXL V4 servers for workloads that need acceleration.
  • GPU Support via PCIe Passthrough: You can attach the H100 to Intel TDX-enabled VMs using PCIe passthrough.
  • Fast, Isolated Networking: Redundant 10Gbps with VLAN segmentation
  • Encrypted Storage: Attach encrypted volumes to workloads as needed
  • Open APIs and CLI: Automate secure deployments

A Practical Guide to Deploying Confidential Workloads on OpenMetal

  1. Choose Intel TDX-Ready Hardware: Use OpenMetal’s Medium, Large, XL, or XXL configurations featuring 5th Gen Intel CPUs and optional H100 GPUs on the XXL. These servers come configured to launch TDX-enabled virtual machines.
  2. Deploy Virtual Machines with Intel TDX: Launch TDX-enabled VMs on supported nodes. These VMs benefit from memory and execution isolation from other workloads and the hypervisor.
  3. Attach GPUs with PCIe Passthrough (Optional): If your workload requires a GPU, the H100 can be passed through directly to your TDX-enabled VM using PCIe passthrough. This enables GPU acceleration while keeping CPU and memory data isolated.
  4. Secure Storage and Networking: Use encrypted volumes and VLAN-based network isolation to strengthen your setup. These security layers support the integrity and protection of your environment.
  5. Monitor and Validate: Deploy internal tools or third-party solutions to validate the state of your confidential computing environment. Monitoring configurations and access helps ensure ongoing protection and compliance.

Common Use Cases

  • Healthcare: Analyze PHI while maintaining HIPAA compliance
  • AI/ML: Protect training data and proprietary models
  • Finance: Run encrypted models for fraud detection or trading
  • Web3/Crypto: Safeguard wallet data and blockchain metadata from exposure

 

Final Thoughts 

Confidential computing workloads are already making an impact across real-world production environments. OpenMetal provides a reliable path to deploying secure infrastructure through Intel TDX-enabled hardware and GPU passthrough capabilities.

If you’re ready to explore confidential computing, contact our team to get started.

Read More on the OpenMetal Blog

The Difference Between a vCPU and a Dedicated CPU Core

Cloud providers advertise vCPUs, but those aren’t physical cores. They’re time-shares on shared hardware, often oversubscribed across tenants. This post breaks down what dedicated bare metal CPU really means, why newer fewer cores often beats older more cores, and how OpenMetal bare metal compares directly to AWS EC2 pricing and performance.

Training LLMs in Singapore: Power, Bandwidth, and Regulatory Advantages

Singapore has emerged as the primary APAC hub for serious AI infrastructure work. This post covers the power, bandwidth, and regulatory factors that matter for LLM training, alongside OpenMetal’s bare metal and private cloud options at Digital Realty’s SIN10 facility in Jurong East.

The Post-Brexit Case for Amsterdam Infrastructure

Brexit moved the UK outside EU jurisdiction, which means UK companies serving EU customers are now non-EU entities under GDPR. This post explains the compliance gap, why Amsterdam infrastructure closes it, and how to get EU data residency without building EU operations.

Evaluating Intel TDX for Production Workloads in 2026

Intel TDX has matured past the proof-of-concept stage, but “production-ready” means different things depending on your workload and team. This guide covers real performance overhead figures, operational complexity, hardware options on OpenMetal v4 and v5, and when to adopt vs. wait.

Why Crypto and Blockchain Teams Choose Amsterdam for European Infrastructure

Crypto and blockchain teams building in Europe are converging on Amsterdam: the Netherlands issues more MiCA licenses than any other EU country, and the infrastructure matches the regulatory advantage. This post covers why validator nodes, DeFi protocols, confidential computing, and rollup teams are choosing Amsterdam and what OpenMetal’s bare metal and private cloud offer in that market.

Secret Network to Silicon: Building a True Confidential Computing Stack with Intel TDX on Bare Metal

Secret Network proves encrypted smart contracts work. Intel TDX on bare metal completes the confidential computing stack from application layer to silicon.

Why MENA Tech Companies Choose Amsterdam for European Expansion

Amsterdam offers MENA tech companies the perfect European gateway with 111ms latency to Dubai, simplified GDPR compliance, and comprehensive connectivity to European markets. OpenMetal provides enterprise bare metal servers and OpenStack private cloud in Digital Realty’s AMS3 facility with predictable pricing, 24×7 support, and flexible deployment options for companies expanding from Dubai, Saudi Arabia, and across the Middle East.

Adding Confidential Computing to Existing Infrastructure Without Starting Over

Many companies need confidential computing but can’t rebuild infrastructure from scratch. This guide shows how to add Intel TDX bare metal alongside existing OpenMetal or AWS/Azure/GCP setups. Covers workload prioritization, hybrid architecture patterns, cost analysis, and 2-3 month implementation timeline.