Google Announced Confidential VMs

Recently, Google announced Confidential VMs beta.
 
Google said that Confidential VMs are a breakthrough technology that enables customers to encrypt their most sensitive data in the cloud while it’s being processed. Confidential computing will create possibilities that weren't feasible before. Organizations now will be able to cooperate, all while keeping their data private.
 
 
Source: Google
 
Confidential Computing environments keep data encrypted in memory and elsewhere outside the CPU. Google said that it already employs a variety of isolation and sandboxing techniques as part of its cloud infrastructure to help make its multi-tenant architecture secure. Confidential VMs will take this to the next level by providing memory encryption so that you can further isolate your workloads in the cloud.
 
According to Google, Confidential VMs leverage 2nd Gen AMD EPYCTM CPUs with Secure Encrypted Virtualization (SEV) functionality. Data stays encrypted while it is used, indexed, queried, or trained on. And, encryption keys are generated in hardware, per VM, and not exportable.
 
Well, Confidential VMs run on N2D series VMs powered by 2nd Gen AMD EPYC processors. The AMD SEV feature gives Confidential VMs high performance for the most demanding computational tasks, while keeping VM memory encrypted with a dedicated per-VM instance key that is generated and managed by the AMD EPYC processor. These keys are created during VM development by the AMD Secure Processor and reside solely within it, rendering them inaccessible to Google or any VMs running on the host.
 
Google has designed Confidential VMs on top of Shielded VMs in addition to hardware-based inline memory encryption to harden the OS image and check the integrity of your firmware, kernel binaries, and drivers. The images that Google provides include Ubuntu v18.04, Ubuntu 20.04, Container Optimized OS (COS v81) and RHEL 8.2.


Next Recommended Reading Google Announces Google For Jobs