Confidential AI
DeepJournal’s confidential AI features are designed to not break end-to-end encryption (E2EE) while allowing to benefits from the power of advanced LLMs and embedding models.
To achieve this, DeepJournal uses Tinfoil, a system based on Trusted Execution Environments (TEE) and Encrypted HTTP Body Protocol (EHBP).
At no point can DeepJournal servers, cloud providers, or Tinfoil access plaintext prompts or model outputs.
What are Trusted Execution Environments (TEE) ?
A Trusted Execution Environment (TEE) is a hardware-isolated execution environment provided by the CPU or GPU.
It provides:
- Isolated and encrypted memory inaccessible to the host operating system
- Protected execution where only enclave code can access decrypted data
- Hardware-backed cryptographic attestation proving the enclave’s identity and the exact code it is running
All AI workloads in DeepJournal run inside TEEs, including LLMs and Embedding models.
Open-Source Models Used
All LLMs and embedding models deployed in secure enclaves are open source. Currently supported models include are:
- DeepSeek R1
- Kimi K2.5
- GPT-OSS 120B
Encrypted HTTP Body Protocol (EHBP)
EHBP ensures that AI requests and responses remain encrypted end-to-end between the client device and the secure enclave.
- HTTP request and response bodies are fully encrypted.
- HTTP headers remain unencrypted so that servers can route, authenticate, and account for requests.
- The actual AI input and output are contained only in the encrypted body and are therefore unreadable outside the TEE.
EHBP is based on Hybrid Public Key Encryption (HPKE):
- The secure enclave publishes a public key.
- The client generates an ephemeral public key.
- Using these public keys, the client and the enclave independently derive a shared session encryption key.
- Only the client device and the enclave possess the keys required to decrypt the request and response bodies.
No intermediary, including DeepJournal servers, can decrypt the encrypted content.