Jump to Content
Security & Identity

Oh SNP! VMs get even more confidential

April 26, 2023
Joanna Young

Product Manager, Confidential Computing

Editor’s note: As of Jan 2024, Confidential VMs with AMD SEV-SNP are now available in public preview on general purpose N2D machines. 

A Confidential Virtual Machine (VM) is a type of Google Cloud Compute Engine VM that helps ensure your data and applications stay private and encrypted even while in use. Confidential VMs can help customers maintain control of their data in the public cloud, achieve cryptographic isolation in a multi-tenant environment, and add an additional layer of defense and data protection against cloud operators, admins, and insiders. 

At Google Cloud, we are always looking for ways to raise the security bar. Today at the RSA Conference in San Francisco, we’ve raised it again by adding more hardware-based security protections to Confidential VMs. New protections such as memory integrity and register state encryption have been built into our next generation Confidential VMs featuring AMD Infinity Guard technologies like Secure Encrypted Virtualization Secure Nested Paging (SEV-SNP) technology. We’re proud to announce that Confidential VMs with AMD SEV-SNP are now available in private preview on general purpose N2D machines.

Since June 2022, Confidential VMs have been generally available on general purpose N2D and compute optimized C2D machines with AMD EPYC™ processors backed by AMD SEV.

Regardless of what type (with AMD SEV or AMD SEV-SNP enabled) of Confidential VM you choose, all Confidential VMs help keep your data safely encrypted in memory, and elsewhere outside the CPU, while it is being processed - all without needing any code changes to applications. 

The underpinnings of Confidential VMs

Confidential VMs that utilize AMD SEV offer high performance for demanding computational tasks while keeping VM memory encrypted with a dedicated, per-VM instance key that is generated and managed by the processor. These cryptographic keys are generated by the processor during VM creation and reside solely within it, making them unavailable to Google, the hypervisor, other VMs running on the host, and even you, our customers.

Confidential VMs that utilize AMD SEV-SNP offer even more data security protections than Confidential VMs with AMD SEV enabled. Confidential VMs with AMD SEV-SNP enabled have the cryptographic isolation of Confidential VMs with AMD SEV but also have the encrypted register states of AMD SEV-ES. On top of that, Confidential VMs with AMD SEV-SNP enabled memory integrity protections to help prevent malicious hypervisor-based attacks like data replay and memory remapping. Building trust often requires verification, so Confidential VMs with AMD SEV-SNP offer hardware-rooted remote attestation. Attestation allows customers to attain assurances regarding their VM’s confidentiality and integrity. 

Attestation builds trust through verification

At Google Cloud, you own your data. We work hard to earn and maintain your trust through transparency. Confidential computing helps accomplish this by encrypting data in-use in a Trusted Execution Environment (TEE) with remote attestation for you to verify.

Remote attestation is a technique where a VM asserts its hardware and software configuration to another entity so that the other entity can determine the level of trust and integrity of a VM. In a Confidential VM, remote attestation is a method that allows a third-party entity (or a Google Cloud customer or Google Cloud) to verify the Confidential VM has not been tampered with. This is done by having the Confidential VM send an attestation report to a verifier, which then validates the report and ensures the integrity of the Confidential VM is in place. 

In Confidential VMs with AMD SEV-SNP enabled, customers can use remote attestation to cryptographically verify their VMs are running with confidentiality and integrity enabled before they interact with their VMs. While all Confidential VMs contain vTPMs that validate a VM’s integrity with Measured Boot, Confidential VMs with AMD SEV-SNP in addition offer attestation reports that are cryptographically signed by hardware and contain information about a VM’s firmware. These verifiable attestation reports around hardware, firmware, and software can help customers build the trust they need to bring highly sensitive and regulated workloads to the cloud.  

Choosing a Confidential VM

To help you choose between your Confidential VMs, here’s a comparison chart:


Confidential VM availability

Confidential VMs with AMD SEV are generally available in most regions and zones. You can create a Confidential VM anywhere general purpose N2D or compute optimized C2D machines are available. 

Confidential VMs with AMD SEV-SNP, which are in private preview, are currently available on general purpose N2D machines in us-central1. 

Getting started

Protect your sensitive data and workloads in the public cloud with the latest, easy-to-use security technology. Sign up for the private preview of Confidential VMs on general purpose N2D machines enabled with AMD SEV-SNP via this form today and learn more about AMD SEV-SNP in the AMD white paper.

Posted in