Confidential VM overview (original) (raw)

Confidential VM instances are a type of Compute Enginevirtual machine. They use hardware-based memory encryption to help ensure that your data and applications can't be read or modified while in use.

Confidential VM instances offer the following benefits:

• Isolation: Encryption keys are generated by—and reside solely in—dedicated hardware, inaccessible to the hypervisor.
• Attestation: You can verify the identity and the state of the VM, to make sure that key components haven't been tampered with.

This type of hardware isolation and attestation is known as a_Trusted Execution Environment_ (TEE).

You canenable the Confidential VM servicewhenever you create a new VM instance.

Confidential Computing technologies

When setting up a Confidential VM instance, the type of Confidential Computing technology that's used is based on themachine type and CPU platform you choose. When choosing a Confidential Computing technology, make sure it fits your performance and cost needs.

AMD SEV

AMD Secure Encrypted Virtualization (SEV) on Confidential VM offers hardware-based memory encryption through the AMD Secure Processor, and boot-time attestation through Google's vTPM.

AMD SEV offers high performance for demanding computational tasks. The performance difference between an SEV Confidential VM and a standard Compute Engine VM can range from nothing to minimal, depending on the workload.

Unlike other Confidential Computing technologies on Confidential VM, AMD SEV machines that use the N2D and C3D machine types support live migration.

Read theAMD SEV whitepaper.

AMD SEV-SNP

AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) expands on SEV, adding hardware-based security to help prevent malicious hypervisor-based attacks like data replay and memory remapping. Attestation reports can be requested at any time directly from the AMD Secure Processor.

Read theAMD SEV-SNP whitepaper.

Intel TDX

Intel Trust Domain Extensions (TDX) creates an isolated trust domain (TD) within a VM, and uses hardware extensions for managing and encrypting memory.

Intel TDX augments defense of the TD against limited forms of attacks that use physical access to the platform memory, such as offline, dynamic random access memory (DRAM) analysis and active attacks of DRAM interfaces. These attacks include capturing, modifying, relocating, splicing, and aliasing memory contents.

Read theIntel TDX whitepaper.

NVIDIA Confidential Computing

NVIDIA Confidential Computing extends the security benefits of a hardware-based trusted execution environment (TEE) to attached NVIDIA GPUs. Sensitive data in GPU-accelerated AI and ML workloads is encrypted in-use, providing isolation from the hypervisor.

To provide a comprehensive confidential environment for both CPU and GPU workloads, NVIDIA Confidential Computing is integrated with CPU-based confidential computing technologies such as AMD SEV or Intel TDX.

For details on which machine series, GPU models, and CPU platforms support NVIDIA Confidential Computing, seeSupported configurations.

Read theNVIDIA H100 Tensor Core GPU Architectureand theRTX PRO 6000 Blackwell GPU Architecturewhitepapers.

Confidential VM services

In addition to Compute Engine, the following Google Cloud services make use of Confidential VM:

• Confidential Google Kubernetes Engine Nodesenforce the use of Confidential VM for all your GKE nodes.
• Confidential Space uses Confidential VM to let parties share sensitive data with a mutually agreed upon workload, while they retain confidentiality and ownership of that data.
• Managed Service for Apache Spark Confidential Computefeatures Managed Service for Apache Spark clusters that use Confidential VM.
• Dataflow Confidential VMfeatures Dataflow worker Confidential VM instances.

What's next

Read about Confidential VMsupported configurations.