Decrypting network traffic on a middlebox device using a trusted execution environment (TEE). In one embodiment, a method may include loading a kernel application inside the TEE, loading a logic application outside the TEE, intercepting, by the logic application, encrypted network traffic, forwarding, from the logic application to the kernel application, the encrypted network traffic, decrypting, at the kernel application, the encrypted network traffic, inspecting, at the kernel application, the decrypted network traffic according to a sensitivity policy to determine whether the decrypted network traffic includes sensitive data, forwarding, from the kernel application to the logic application, filtered decrypted network traffic that excludes the sensitive data, processing, at the logic application, the filtered decrypted network traffic, forwarding, from the logic application to the kernel application, the filtered decrypted network traffic after the processing by the logic application, and forwarding, from the kernel application, the encrypted network traffic.