Quickstart: Creating a Confidential VM instance

This page guides you through setting up a new Confidential VM instance using the Google Cloud Console. To learn how to set up a new Confidential VM instance using gcloud or the Compute Engine API, see Creating a Confidential VM instance.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Enable the Compute Engine API.
  5. Enable Compute Engine API

Create the Confidential VM instance

  1. In the Cloud Console, go to the VM Instances page.

    Go to VM Instances

  2. Select Create instance.

  3. Click CPU platform and GPU to expand the section.

  4. Leave CPU Platform set to Automatic.

  5. Select the Confidential VM Service checkbox.

  6. A message appears letting you know which settings that will be changed if you enable the service. Click Enable.

The default OS boot disk changes to Ubuntu 18.04 LTS. To change the boot disk to a different OS, click Change to select one of the supported OSes for Confidential VM.

For the purposes of this quickstart, you can keep the remaining options at their default values or make any changes you might want. When you're done, click Create.

Connect to your instance

  1. In the Cloud Console, go to the VM Instances page.

    Go to VM Instances

  2. In the list of virtual machine instances, click SSH in the row of the instance that you want to connect to.

You now have a terminal window for interacting with your Confidential VM instance.

Verify that AMD SEV is enabled

You can use dmesg logs to verify that AMD SEV is enabled. But, depending on the Linux distribution and other software installed on the guest, dmesg logs might be maintained differently. For definitive guidance about how to query dmesg logs, refer to the documentation for the Linux distribution.

On some Linux distributions, you might be able to verify that the newly created Confidential VM instance is using AMD SEV by running the following command after you've connected to the instance:

dmesg | grep SEV | head

If AMD SEV is enabled, you'll see a response like the following:

[    0.290272] AMD Secure Encrypted Virtualization (SEV) active

To learn how to obtain more detailed information about the state of the Confidential VM instance by examining Cloud Monitoring integrity validation events, see Validating Confidential VM instances using Cloud Monitoring.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this page, follow these steps.

  1. In the Cloud Console, go to the VM instances page.

    Go to VM instances

  2. Select the checkbox for the instance that you want to delete.
  3. To delete the instance, click More actions, click Delete, and then follow the instructions.

What's next