← All guides

Private prompts: encryption & confidential compute

Every Halo prompt is end-to-end encrypted. Confidential mode seals it to a hardware enclave the operator can't read, with on-device attestation you can verify.

Halo protects your prompts with two layers. End-to-end encryption hides them from the relay and is on by default. Confidential mode goes further, hiding them even from the operator by encrypting to a hardware enclave — with proof you can verify yourself.

Halo is in alpha on Base mainnet with real USDC.

End-to-end encryption (on by default)

You don’t toggle this — whenever the operator supports it (all alpha operators do), your request is end-to-end encrypted to that operator and the relay only ever forwards ciphertext. Each reply carries a badge:

  • 🔒 E2E · fingerprint — encrypted. Click it to see the channel details (algorithm, the operator’s key fingerprint) and an honest caveat: it’s relay-blind, not operator-blind — the operator still decrypts your prompt to run the model.
  • relay-visible — a warning badge shown if a reply wasn’t encrypted.
ChannelRelay-blind, end-to-end to the operator Algorithmx25519-aes256gcm
Operator key fingerprint
793B-EC2C-4494
SHA-256 (pubkey)
793bec2c4494cfeca9bd088c691dbb1f990fd03640ace654867403ff75d62678
X25519 pubkey
a82082be32ad1b6b269acccac44245bea39a4c47218058fa58bb5b48448a6053

Relay-blind, not operator-blind. The Halo relay can't read this — it only tunnels ciphertext. The operator that runs your inference does decrypt and see the prompt. This proves nobody in the middle read or altered it, not that nobody read it.

The reply decrypting (its AES-GCM tag verified) is what makes this proof and not a label — only the holder of the key above could have produced it. The key is session-scoped and rotates when the operator restarts.

Illustration — the E2E encryption report

If you need full verifiable privacy, activate confidential mode.

Confidential mode (operator-blind, hardware-attested)

Confidential mode encrypts your prompt directly to a hardware TEE (NEAR AI Cloud enclaves) that the operator can’t read — it only relays sealed ciphertext, and the reply is signed inside the enclave.

Turning it on:

  • It’s a Confidential pill (shield icon) in the composer, off by default and enabled per request.
  • The toggle only appears when it’s actually available — the selected model has a confidential (TEE) operator online and you’re on the vault balance. Models that can run confidentially show a shield in the model picker.

While the request runs, a checklist shows it sealing to the enclave: TEE operator pinned → enclave attested (Intel TDX / H200) → prompt encrypted to the enclave → running inside the enclave → reply verified.

Verifying the proof

After a confidential reply, the badge reads Confidential · verified. Click it to open the proof, which has two parts:

  1. Signature check (automatic). Halo checks that the reply was signed by the exact enclave named in an independently fetched attestation report — shown as “Reply signer matches attestation.” This runs on every confidential reply.
  2. Hardware attestation (optional, on demand). Press Verify hardware attestation to run a full trustless check in your browser: it confirms the Intel TDX quote and NVIDIA H200 evidence and that they’re bound to this signer. The pills flip to “verified” when it passes (it takes a couple of seconds to load the verifier).
Confidential — verified

Your prompt was encrypted to a hardware enclave the operator can't read. The reply was signed inside that enclave, and your browser verified the signature recovers to the same signer named in the enclave's independently-fetched, public attestation — so the operator could only relay ciphertext, never read or forge it.

Hardware attestation
Intel TDX verified NVIDIA H200 verified Bound to this signer
Fully verified — the enclave's quote chains to Intel's root and binds this signer; the relay could not have forged it.
Signature check
Reply signer matches attestation
Confidential provider (whose attested enclave this is)
NEAR AI Cloud
Model
deepseek-ai/DeepSeek-V4-Flash
Attested enclave signer
0xc5f6bf2f1bc666569157ec1bb4066cdaf48d026c
Enclave public key (your prompt was sealed to this)
34ba223c3175c4debee8cd12d72f55869b6cf1ccc5ff578e940a23c7bf9dcf3abd6530ce8d8624ffd150900fd31bae802eb75367a154a75e39cc87f748b63b84
Operator (relayed ciphertext only — never saw your prompt)
0x5b1e2587f5debdade3579e702e7cc06be9610d14
View raw attestation report ↗ Close
Illustration — the confidential (TEE) proof

The proof panel also shows the provider, model, the attested enclave signer, the signed statement, the enclave’s public key, and a link to the raw attestation report.

When verification doesn’t pass

  • If the enclave setup or decryption fails, the request fails closed — you get an error, never a silent downgrade to plaintext.
  • If a reply’s signature doesn’t match the attestation, the run is flagged “Reply signature mismatch — rejected” and the badge stays at not verified. Treat any reply that isn’t marked verified as untrusted — don’t rely on it as confidential.