Red Hat's Network-Bound Encryption Patent: Unsealing a Secret Only on the Right Network

Disk encryption has a chicken-and-egg problem at boot. To start up, a server must decrypt its own storage, which requires the key — but if the key is stored on the machine, an attacker who steals the machine gets the key too. Typing a passphrase by hand does not scale to a data center. So where does the key come from?

US11611431B2, “Network bound encryption for recovery of trusted execution environments,” granted to Red Hat, Inc. on March 21, 2023, answers: from the network. Classified under H04L 9/0825 (public-key encryption) with key-establishment codes, it claims binding decryption to the presence of the correct network environment.

Network-bound encryption is an elegant inversion. Instead of storing the key on the machine or asking a human, the system can reconstruct the key only when it can reach the right network resource — effectively making “being on the authorized network” the credential. Move the machine elsewhere, and it cannot decrypt itself. Red Hat's open-source Tang/Clevis work pioneered this pattern, and the patent extends it specifically to recovering trusted execution environments.

The TEE angle is what makes this more than ordinary disk encryption. A trusted execution environment must come up in a known-good, attestable state; recovering or rebooting one securely means re-establishing its secrets without ever exposing them to the untrusted host. Tying that recovery to the network gives an automated, key-less-at-rest way to bring an enclave back without weakening its threat model.

Per the desk's rules: issued grant (B2), not an application; a method claim, not a product announcement — though Red Hat's network-bound disk encryption tooling is the unmistakable context. The inventor team, including Bursell and McCallum, recurs across Red Hat's confidential-computing filings.

For the systems reader, this is a good illustration of how confidential computing forces old problems to be re-solved. Bootstrapping trust — getting a secret to a machine that has no secret yet — is ancient, but doing it for an attestable enclave on an untrusted host, automatically, is the modern twist, and network-bound encryption is one of the cleaner answers.