Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
A hardware-isolated secure area in a processor that runs sensitive code and data separately from the main OS, even if the OS is compromised.
Trusted Execution Environment (TEE) Definition: A hardware-isolated secure area in a processor that runs sensitive code and data separately from the main OS, even if the OS is compromised.
A Trusted Execution Environment (TEE) is a hardware-isolated, secure area within a processor that runs sensitive code and stores sensitive data separately from the main operating system. Even if the OS or applications are compromised, the TEE protects the confidentiality and integrity of what runs inside it, establishing a hardware root of trust.
TEEs achieve isolation through CPU and memory-controller features that partition execution into a trusted and a normal world, gating access to protected memory, secure storage, and trusted I/O paths. Common implementations include ARM TrustZone, Intel SGX (which creates per-application enclaves), and AMD SEV (which encrypts virtual machine memory). Code inside the TEE can be measured and attested, letting a remote party verify it is running genuine, unmodified software before releasing secrets to it.
TEEs matter because they shrink the trusted computing base for critical functions like secure boot, biometric matching, payment processing, DRM, and key management, keeping cryptographic keys and credentials out of reach of malware running in the main OS. They are not absolute: a TEE reduces the attack surface rather than eliminating it, and side-channel attacks such as Foreshadow and Plundervolt have broken specific implementations, so they must be combined with timely microcode updates and defense in depth.
For example, a smartphone uses a TEE to store fingerprint templates and process biometric authentication. When the user touches the sensor, matching happens entirely inside the trusted world, and the OS only receives a yes/no result, never the raw template. Even malware with full control of the Android or iOS environment cannot extract the biometric data or forge a successful match, because the secrets never leave the hardware-isolated environment.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →