A Confidential VM is a Compute Engine VM that uses aspecific machine typeand keeps your sensitive code and other data encrypted in memory duringprocessing, that is, it performsencryption-in-use.Together withencryption-at-restandencryption-in-transit,Confidential VM can help keep your data and applications encrypted atall times.

For a more detailed conceptual overview, seeConfidential VM overview.

To get started using Confidential VM, seeCreate a Confidential VM instance.

You can manage your Confidential VMs in some of the following ways:

• You can use organization policy constraints toensure that instances created in your organization are Confidential VMs.

• You can use Cloud Monitoring and Cloud Logging tomonitor and validate your Confidential VM instances.

• You can use shared Virtual Private Cloud (VPC) networks, organization policyconstraints, and firewall rules toset up a security perimeterthat ensures your Confidential VM instances can only interact withother Confidential VM instances.

• With the A3 machine series, you can create a Confidential VM instancethat uses Intel TDX and has an attachedGPU. For more information, seeConfidential VMsupported configurations.

For enhanced block storage security with Confidential VM, you can useConfidential mode for Hyperdisk Balanced.Confidential mode for Hyperdisk Balanced adds another layer of security by enabling hardware-based encryptionof disk data. Hyperdisk volumes in Confidential mode useCloud HSM and Trusted Execution Environments (TEE) toprovide additional cryptographic isolation. For more information about TEEs, seeTrusted Execution Environment Explainer.