Private prompts: encryption & confidential compute
Every Halo prompt is end-to-end encrypted. Confidential mode seals it to a hardware enclave the operator can't read, with on-device attestation you can verify.
Halo protects your prompts with two layers. End-to-end encryption hides them from the relay and is on by default. Confidential mode goes further, hiding them even from the operator by encrypting to a hardware enclave — with proof you can verify yourself.
Halo is in alpha on Base mainnet with real USDC.
End-to-end encryption (on by default)
You don’t toggle this — whenever the operator supports it (all alpha operators do), your request is end-to-end encrypted to that operator and the relay only ever forwards ciphertext. Each reply carries a badge:
- 🔒 E2E ·
fingerprint— encrypted. Click it to see the channel details (algorithm, the operator’s key fingerprint) and an honest caveat: it’s relay-blind, not operator-blind — the operator still decrypts your prompt to run the model. - relay-visible — a warning badge shown if a reply wasn’t encrypted.
Relay-blind, not operator-blind. The Halo relay can't read this — it only tunnels ciphertext. The operator that runs your inference does decrypt and see the prompt. This proves nobody in the middle read or altered it, not that nobody read it.
The reply decrypting (its AES-GCM tag verified) is what makes this proof and not a label — only the holder of the key above could have produced it. The key is session-scoped and rotates when the operator restarts.
If you need full verifiable privacy, activate confidential mode.
Confidential mode (operator-blind, hardware-attested)
Confidential mode encrypts your prompt directly to a hardware TEE (NEAR AI Cloud enclaves) that the operator can’t read — it only relays sealed ciphertext, and the reply is signed inside the enclave.
Turning it on:
- It’s a Confidential pill (shield icon) in the composer, off by default and enabled per request.
- The toggle only appears when it’s actually available — the selected model has a confidential (TEE) operator online and you’re on the vault balance. Models that can run confidentially show a shield in the model picker.
While the request runs, a checklist shows it sealing to the enclave: TEE operator pinned → enclave attested (Intel TDX / H200) → prompt encrypted to the enclave → running inside the enclave → reply verified.
Verifying the proof
After a confidential reply, the badge reads Confidential · verified. Click it to open the proof, which has two parts:
- Signature check (automatic). Halo checks that the reply was signed by the exact enclave named in an independently fetched attestation report — shown as “Reply signer matches attestation.” This runs on every confidential reply.
- Hardware attestation (optional, on demand). Press Verify hardware attestation to run a full trustless check in your browser: it confirms the Intel TDX quote and NVIDIA H200 evidence and that they’re bound to this signer. The pills flip to “verified” when it passes (it takes a couple of seconds to load the verifier).
Your prompt was encrypted to a hardware enclave the operator can't read. The reply was signed inside that enclave, and your browser verified the signature recovers to the same signer named in the enclave's independently-fetched, public attestation — so the operator could only relay ciphertext, never read or forge it.
The proof panel also shows the provider, model, the attested enclave signer, the signed statement, the enclave’s public key, and a link to the raw attestation report.
When verification doesn’t pass
- If the enclave setup or decryption fails, the request fails closed — you get an error, never a silent downgrade to plaintext.
- If a reply’s signature doesn’t match the attestation, the run is flagged “Reply signature mismatch — rejected” and the badge stays at not verified. Treat any reply that isn’t marked verified as untrusted — don’t rely on it as confidential.
Related
- Confidential mode requires the vault balance.
- It’s available in both Chat and Agent modes.