Fraud-detection with encrypted data

This example demonstrates a typical Confidential Containers (CoCo) deployment using a fraud-detection application. The primary goal is to show how CoCo protects data in use, even when the application code itself is public.

We will run a model to perform offline credit-card fraud detection, based on the following scenario.

Protecting Data, Not Code

This deployment operates on two key assumptions:

  • The Model is Public: The fraud-detection model itself is not secret. It was pre-trained on public data and does not require protection.

  • The Data is Private: The credit card datasets contain sensitive customer information and must be protected. This data has been securely collected and encrypted before entering our untrusted cluster.

A similar demonstration was shown at Red Hat Summit 2025, which used Confidential Virtual Machines (CVMs) instead of CoCo. You can learn more from this blogpost and video.

Assumptions

In this demo we are not going to show the steps done in the secure environment, to simplify the user experience and not confuse the secure env with the untrusted cluster.

In the secure env we:

  • Generate, encrypt and upload the credit cards dataset to the Azure blob storage. In this workshop, it’s a publicly accessible blob containing only the encrypted dataset.

  • Install and configure Trustee with the key used in the previous point. In this workshop, Trustee is running in the same untrusted cluster but it shouldn’t.

These two steps above are already prepared for you, no need to do anything at this point.

The Confidential Workflow

The entire process relies on remote attestation to securely release the decryption key to the running container. In this demo, we will run the whole workflow.

  1. The fraud-detection container starts, pulling the public model and the encrypted datasets.

  2. The decryption key is not present in the container; it is held remotely by Trustee, our key-release service.

    1. The key was already added in Trustee when adding the secrets, or was done automatically by the install script. For this demo, Trustee runs in the same cluster, but in production, it would be in a separate, secure domain.

  3. The container performs remote attestation, generating a cryptographic proof that it is a genuine Confidential Container running on a secure, trusted platform.

  4. It sends this proof to Trustee. Only after Trustee verifies that the container is secure does it release the decryption key.

  5. The container uses the received key to decrypt the credit card datasets in memory.

  6. The (now-decrypted) private data is fed into the public model for processing, all within the protected container.

Start the Jupyter notebook

Let’s create a notebook and run it as CoCo. If you open the yaml link, you will notice once again the only difference with a normal deployment is runtimeClassName: kata-remote.

This notebook specifically uses python sdk to download the encrypted data from Azure for two reasons:

  • Closely align with regular interactive AI workflows which uses python SDKs to download data from s3, azure, minio etc.

  • Provides an example of programmatic storage access for AI workloads when using the peer-pods approach.

oc apply -f https://raw.githubusercontent.com/confidential-devhub/workshop-on-ARO-showroom/refs/heads/main/helpers/fraud-encrypted-datasets/notebook.yaml

Switch to the newly created fraud-detection namespace

oc project fraud-detection

Wait that the pod is created.

watch oc get pods/fraud-encrypted-datasets

The pod is ready when the STATUS is in Running.

The jupyter notebook will be available at the following URL and the login password is aro_workshop123:

FD_ROUTE=$(oc get route fraud-encrypted-datasets-route -n fraud-detection -o jsonpath='{.spec.host}')
echo ""

echo "Click on the following URL to open the notebook in a new tab:"
echo "https://${FD_ROUTE}"

Run the notebook

Starting from fraud-detection/0_intro.ipynb, go through the various notebooks. Specifically:

  • fraud-detection/0_intro.ipynb: show that the confidential hardware is present

  • fraud-detection/1_download_data.ipynb: download encrypted datasets

  • fraud-detection/2_decrypt_data.ipynb: fetch key through attestation and decrypt the datasets

  • fraud-detection/3_run_model.ipynb: run the model

  • fraud-detection/4_cleanup.ipynb: clean everything to restart the demo