Confidential VM instances are a type ofCompute Enginevirtual machine. They use hardware-based memory encryption to help ensure thatyour data and applications can't be read or modified while in use.

Confidential VM instances offer the following benefits:

• Isolation: Encryption keys are generated by—and reside solelyin—dedicated hardware, inaccessible to the hypervisor.

• Attestation: You can verify the identity and the state of the VM, tomake sure that key components haven't been tampered with.

This type of hardware isolation and attestation is known as aTrusted Execution Environment (TEE).

You canenable the Confidential VM servicewhenever you create a new VM instance.

Confidential Computing technologies

When setting up a Confidential VM instance, the type of Confidential Computingtechnology that's used is based on themachine type and CPU platform you choose.When choosing a Confidential Computing technology, make sure it fits yourperformance andcost needs.

AMD SEV

AMD Secure Encrypted Virtualization (SEV) on Confidential VM offers hardware-basedmemory encryption through the AMD Secure Processor, and boot-time attestationthrough Google's vTPM.

AMD SEV offers high performance for demanding computational tasks. Theperformance difference between an SEV Confidential VM and a standardCompute Engine VM can range from nothing to minimal, depending on theworkload.

Unlike other Confidential Computing technologies on Confidential VM, AMD SEVmachines that use the N2D machine type support live migration.

Read theAMD SEV whitepaper.

AMD SEV-SNP

AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) expands onSEV, adding hardware-based security to help prevent malicious hypervisor-basedattacks like data replay and memory remapping. Attestation reports can berequested at any time directly from the AMD Secure Processor.

Read theAMD SEV-SNP whitepaper.

Intel TDX

Intel Trust Domain Extensions (TDX) is a hardware-based TEE. TDX creates anisolated trust domain (TD) within a VM, and uses hardware extensions formanaging and encrypting memory.

Intel TDX augments defense of the TD against limited forms of attacks that usephysical access to the platform memory, such as offline, dynamic random accessmemory (DRAM) analysis and active attacks of DRAM interfaces. These attacksinclude capturing, modifying, relocating, splicing, and aliasing memorycontents.

Read theIntel TDX whitepaper.

NVIDIA Confidential Computing

Confidential VM instances with NVIDIA Confidential Computing GPUs are ideal for running secureartificial intelligence (AI) and machine learning (ML) workloads.

NVIDIA Confidential Computing provides enhanced security for accelerated workloads. This featureenables Confidential VM instances to protect the confidentiality and integrity ofdata and code in use. TheNVIDIA H100 Tensor Core GPUsextend the TEE from the CPU to the GPU, enabling confidential computing foraccelerated workloads.

This implementation creates a hardware-based TEE that secures and isolatesworkloads running on a single H100 GPU, or on the individual securedmanaged instance group (MIG)instances. The TEE establishes a secure channel between a Confidential VM instanceand the attached GPU in confidential computing mode.

Read theNVIDIA H100 Tensor Core GPU Architecture whitepaper.

Confidential VM services

In addition to Compute Engine, the following Google Cloud services makeuse of Confidential VM:

• Confidential Google Kubernetes Engine Nodesenforce the use of Confidential VM for all your GKE nodes.

• Confidential Space usesConfidential VM to let parties share sensitive data with a mutually agreed uponworkload, while they retain confidentiality and ownership of that data.

• Dataproc Confidential Computefeatures Dataproc clusters that use Confidential VM.

• Dataflow Confidential VMfeatures Dataflow worker Confidential VM instances.

What's next

Read about Confidential VMsupported configurations.