Launch HN: Tinfoil (YC X25): Verifiable Privacy for Cloud AI

Hacker News Discussion ↗

Technical design & trust model

  • Service runs models in GPU-backed secure enclaves where TLS is terminated inside the enclave; current limitation is per-enclave TLS certs, to be mitigated by HPKE so TLS can terminate at a proxy while payloads stay enclave-encrypted.
  • Trust boundary: CPU enclave extends to GPU in confidential-compute mode. CPU verifies GPU integrity and establishes an encrypted PCIe channel; data is decrypted on CPU registers but never leaves enclave memory unencrypted.
  • Only enclave code sees plaintext; provider cannot SSH into inference servers and claims users need only trust chip vendors (Intel/AMD/NVIDIA), not cloud operators or Tinfoil itself.

Relation to existing confidential computing & FHE

  • Thread notes Azure, GCP, NVIDIA+Edgeless, Opaque, Anjuna, Apple’s Private Cloud Compute, Minions, etc. Tinfoil positions itself as “end-to-end verifiable” and application-focused vs. raw TEE primitives.
  • Several point out this is not “zero trust”: users must trust hardware vendors and their secret processes; hardware bugs or leaked keys remain risks.
  • FHE is acknowledged as the only way to avoid trusting hardware, but considered impractical today; some argue true privacy requires on-prem, not cloud at all.

Market demand, use cases, and competition

  • Debate over whether hyperscalers will commoditize this and “swallow” the market; some say that may be the outcome and even the plan.
  • One side claims enterprises already trust cloud providers and don’t need this, pointing to lack of incidents; others with large-finance experience counter that many banks assume CSPs are hostile and already use enclaves and formal methods.
  • Use cases mentioned: protecting highly sensitive model weights, regulated industries, SMB products where LLM privacy is a top sales question, and multi-party analytics where none of the parties want to reveal data or code.
  • Some argue that open-source models are still inferior to frontier models, weakening the appeal if privacy means worse quality; others report good results with large open models when run unquantized with full context.

Compliance & “enterprise-ready” security

  • Tinfoil is close to SOC 2 and plans HIPAA next; commenters argue “enterprise-ready” also requires a broad set of certifications (ISO, FedRAMP, etc.), not just technical zero-trust.

Verification, UX, and self-hosting

  • Attestation is verified client-side via open-source SDKs; users can, in principle, run a frozen client, though Tinfoil currently iterates rapidly and offers freezing case-by-case.
  • A question is raised about enclaves falsely claiming to run older code; answer: hardware root of trust signs only the actual code hash.

Business model, deployment, and moat

  • Code is AGPL and could be run by clouds; Tinfoil sees its value in tooling, UX, secrets management, and orchestration of GPU confidential compute, which is described as difficult in practice.
  • They rent bare-metal GPU servers from smaller “neoclouds” (not hyperscalers) in the US, claiming hardware attestation removes the need to trust these providers, modulo physical and side-channel attacks.
  • Some skepticism that confidential computing’s slow adoption is due to difficulty; others say it’s simply a low priority versus more immediate security issues.

Skepticism, limitations, and legal/coercion scenarios

  • Critics argue this only shifts trust to hardware makers and still leaves many unprotected layers (network stack, API servers, MITM by states).
  • Questions about FISA-style compelled access or government backdoors: an attacker could theoretically subvert the build pipeline or, if they control vendor keys, bypass enclave guarantees; Tinfoil plans a “how to hack us” writeup.

Enthusiasm and proposed tests

  • Several commenters are enthusiastic, calling the approach “game-changing” for privacy-sensitive AI and praising the open-sourcing and attestation model.
  • A suggested marketing demo is to give the world root access to a box and offer a bounty if anyone can recover plaintext; Tinfoil plans a similar public challenge at DEF CON and is open to expanding it.