Modifying Shielded VM options on a VM instance

This document describes how to enable and disable theShielded VM options on aVM instance. To see which images support Shielded VM features,seeOS image security features.

Overview

On a Shielded VM instance, Compute Engine enables thevirtualTrusted Platform Module (vTPM) andintegrity monitoringoptions by default. If you disable the vTPM, Compute Enginedisables integrity monitoring because integrity monitoring relies on datagathered byMeasured Boot.

Compute Engine does not enableSecure Boot by defaultbecause unsigned drivers and other low-level software might not be compatible.Secure Boot helps ensure that the system only runs authentic software byverifying the signature of all boot components and stopping the boot processif signature verification fails. This helps prevent forms of kernel malware,such as rootkits or bootkits from persisting across VM reboots. Googlerecommends enabling Secure Boot if you can ensure that it doesn't prevent arepresentative test VM from booting and if it is appropriate for your workload.

Limitations

Even though Compute Engine VM instances support Secure Boot, an imageloaded on a Compute Engine VM might not. Notably, although most Linuxdistributions support Secure Boot on recent x86 images, it isn't alwayssupported by default on ARM64.Many Linux images are configured to refuse to load unsigned builds of out-of-tree kernel modules when Secure Boot is enabled. This most commonly affects GPU drivers, but also sometimes affects security monitoring tools that require kernel modules.

Permissions required for this task

To perform this task, you must have the followingpermissions:

  • compute.instances.updateShieldedInstanceConfig on the VM instance

Modifying Shielded VM options on a VM instance

Use the following procedure to modify Shielded VM options:

Console

  1. In the Google Cloud console, go to theVM instances page.

    Go toVM instances

  2. Click the instance name to open theVM instance details page.

  3. ClickStopto stop the VM. If there is noStop option, clickMore actions >Stop.

  4. After the instance stops, clickEdit.

  5. In theShielded VM section, modify the Shielded VM options:

    • ToggleTurn on Secure Boot to enable Secure Boot.Compute Engine does not enableSecure Bootby default because unsigned drivers and other low-level softwaremight not be compatible. If possible, Google recommends enablingSecure Boot.

    • ToggleTurn on vTPM to disable the virtual trusted platform module(vTPM). By default, Compute Engine enables theVirtual TrustedPlatform Module (vTPM).

    • ToggleTurn on Integrity Monitoring to disable integritymonitoring. By default, Compute Engine enablesintegritymonitoring.

  6. ClickSave.

  7. ClickStart to start the instance.

gcloud

  1. Stop the instance:

    gcloud compute instances stopVM_NAME

    ReplaceVM_NAME with the name of the VM to stop.

  2. Update the Shielded VM options:

    gcloud compute instances updateVM_NAME \    [--[no-]shielded-secure-boot] \    [--[no-]shielded-vtpm] \    [--[no-]shielded-integrity-monitoring]

    ReplaceVM_NAME with the name of the VM on whichto update the Shielded VM options.

    shielded-secure-boot: Compute Engine does notenableSecure Bootby default because unsigned drivers and other low-level software mightnot be compatible. If possible, Google recommends enabling Secure Boot.

    • Enable Secure Boot by using the--shielded-secure-boot flag(recommended).
    • Disable Secure Boot by using--no-shielded-secure-boot.

    shielded-vtpm: thevirtual trusted platform module (vTPM)is enabled by default.+ Enable by using--shielded-vtpm (default)+ Disable by using the--no-shielded-vtpm flag

    shielded-integrity-monitoring:integrity monitoringis enabled by default.+ Enable by using--shielded-integrity-monitoring (default)+ Disable by using the--no-shielded-integrity-monitoring flag.

  3. Start the instance:

    gcloud compute instances startVM_NAME

    ReplaceVM_NAME with the name of the VM to start.

REST

  1. Stop the instance:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/stop

    Replace the following:

    • PROJECT_ID: project containing the VM to stop
    • ZONE: zone containing the VM to stop
    • VM_NAME: the VM to stop

  2. Useinstances.updateShieldedInstanceConfigto enable or disable Shielded VM options on the instance:

    PATCH https://compute.googleapis.com/compute/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/updateShieldedInstanceConfig{ "enableSecureBoot": {true|false}, "enableVtpm": {true|false}, "enableIntegrityMonitoring": {true|false}}

    Replace the following:

    • PROJECT_ID: the project containing the VM toenable or disable Shielded VM options on.
    • ZONE: the zone containing the VM to enable ordisable Shielded VM options on.
    • VM_NAME: the VM to enable or disableShielded VM options on.

    enableSecureBoot: Compute Engine does not enableSecure Boot bydefault because unsigned drivers and other low-level software mightnot be compatible. If possible, Google recommends enabling Secure Boot.

    enableVtpm: Compute Engine enables theVirtual Trusted Platform Module (vTPM)by default.

    enableIntegrityMonitoring: Compute Engine enablesintegrity monitoringby default.

  3. Start the instance:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/start

    Replace the following:

    • PROJECT_ID: project containing the VM to start
    • ZONE: zone containing the VM to start
    • VM_NAME: VM to start

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-11-24 UTC.