AMD Patents a Circuit That Locks GPU Memory Behind Per-Request Encryption Keys
AMD is filing patents on one of the trickiest problems in cloud computing: making sure the data your GPU processes stays encrypted even from the people running the server it's sitting on.
What AMD's GPU memory encryption system actually does
Imagine renting a storage unit but worrying the storage company has a copy of your key. Cloud computing has the same problem — when a company rents GPU time from a cloud provider, the provider's own systems can, in theory, peek at the data being processed. Confidential computing is the industry's answer: encrypt everything, even while the chip is working on it.
This AMD patent covers a small but specific piece of that puzzle. When a GPU needs to fetch or write data from its own memory, a control circuit steps in and picks the correct encryption key for that particular memory address. It then hands both the address and the key index to the memory controller, which handles the actual read or write.
The result is that each chunk of GPU memory can be locked with its own key — so even if someone with physical access to the hardware tried to read the raw memory chips, they'd get scrambled data. You, as the person renting the GPU, would be the only one who can unlock your workload.
How the control circuit picks and routes the right key
The patent describes a control circuit inside a GPU that intercepts memory requests — the moment a program asks the GPU to read from or write to a specific location in GPU memory.
When that request arrives, the circuit looks at the final physical address (the exact memory slot being targeted) and selects the appropriate key index — essentially a label pointing to one of many stored encryption keys. The circuit then forwards both the address and the key index together to the GPU's memory controller (the hardware that physically moves data in and out of memory chips).
The memory controller uses the key index to retrieve the actual encryption key and completes the transaction — decrypting data on reads, encrypting it on writes — entirely in hardware, without any software involvement that could be intercepted.
- Memory request arrives with a physical address
- Control circuit selects the matching key index for that address
- Key index + address forwarded to the memory controller
- Memory controller completes the request using the associated encryption key
The system is designed to support confidential computing workloads — environments where even the cloud provider or hypervisor operator cannot access a tenant's data.
What this means for cloud GPU security
Cloud providers like AWS, Google, and Microsoft are racing to offer confidential computing as a premium feature, especially for sensitive workloads like AI model training on private datasets, financial modeling, and healthcare data. GPUs are increasingly at the center of those workloads, and GPU memory has historically been a weak link — most memory encryption schemes are CPU-focused. This patent shows AMD building the infrastructure to close that gap at the hardware level.
For you as a potential cloud customer, this kind of patent represents AMD building the technical foundation that would let a cloud provider credibly promise your GPU workload is private — not just from outsiders, but from the cloud provider itself. That's a meaningful shift in what enterprise customers can demand from infrastructure vendors.
This is unglamorous but genuinely important security infrastructure work. AMD's ATI Technologies division is clearly investing in confidential computing at the GPU level, which matters because AI workloads have made GPUs the most sensitive processors in a data center. The patent is narrow and technical, but it's the kind of foundational piece that enables much bigger privacy guarantees down the road.
Get one Big Tech patent every Sunday
Plain English, intelligent commentary, no hype. Free.
Editorial commentary on a publicly published patent application. Not legal advice.