eSIM uses trusted computing feature of modern CPUs. Trusted computing allows to run small applications heavily protected from the user. Other major trusted computing applications before eSIMs have been DRM (copy protection; the owner of content does not want the user to be able to copy decrypted content) and corporate security and remote computer management (in this case corporate IT wants to be sure it can run an application even if the main OS has crashed or have been infected by a sophisticated virus that could have removed a regular security application).

Trusted computing applications run outside of the main OS and outside of the main RAM (random access memory). The CPU has a small embedded RAM inside the CPU die. Communications with the regular RAM can be easily listened to with inexpensive tools. Communications with the embedded RAM are extremely difficult to snoop. Since the CPU designers know the RAM is for trusted computing they mix RAM elements with other CPU transistors. Even if you could attach a tiny probe to the CPU die you wouldn’t know which line to listen to. They can also seal the die with an outer shell that makes it very difficult to attach a probe. Similarly the CPU has a small embedded flash memory for long term storage.

eSIM application uses the embedded flash to store cryptographic keys and subscriber id. When the phone connects to a mobile network it does what a regular SIM card does. It uses public/private key cryptography to confirm your subscriber id. Unlike a regular SIM card which has a subscriber id and keys stored at the factory, eSIM application can accept new keys and new subscriber ids. It can also store many key and id sets for multiple carriers.