A Confidential VM is a Compute Engine VM that uses an
N2D, C2D,
c3-standard-*
(Preview), or C3D
(Preview) machine type and keeps your
sensitive code and other data encrypted in memory during processing, that is, it
performs encryption-in-use. Together with encryption-at-rest
and encryption-in-transit,
Confidential VM can help keep your data and applications encrypted at
all times.
For a more detailed conceptual overview, see Confidential VM overview.
To get started using Confidential VM, try the quickstart or see Create a Confidential VM instance.
You can manage your Confidential VMs in some of the following ways:
You can use organization policy constraints to ensure that instances created in your organization are Confidential VMs.
You can use Cloud Monitoring and Cloud Logging to monitor and validate your Confidential VM instances.
You can use shared Virtual Private Cloud (VPC) networks, organization policy constraints, and firewall rules to set up a security perimeter that ensures your Confidential VM instances can only interact with other Confidential VM instances.
For enhanced block storage security with Confidential VM, you can use Confidential mode for Hyperdisk Balanced. We recommended that you use Cloud HSM to protect the key that you use for Confidential mode for Hyperdisk Balanced. Because Cloud HSM uses Cloud Key Management Service as its frontend, you can use all the features that Cloud KMS provides.
Confidential mode for Hyperdisk Balanced adds another layer of security by enabling hardware-based encryption of disk data. Hyperdisk volumes in Confidential mode use Cloud HSM and trusted execution environments (TEE) to provide additional cryptographic isolation. For more information about TEEs, see Trusted Execution Environment Explainer.