Modifying Shielded VM Options

Use this topic to learn how to modify Shielded VM options on a VM instance. To see what images support Shielded VM features, see Images.

On a Shielded VM instance, the Secure Boot, Virtual Trusted Platform Module (vTPM), and integrity monitoring options are enabled by default. You can modify the instance if you later decide to disable one or more of these features. You must stop the VM instance before modifying the Shielded VM options.

You must have the updateShieldedVmConfig permission to be able to update the Shielded VM settings.

Before you begin

Modifying Shielded VM options on a VM instance

Use the following procedure to modify Shielded VM options on an instance:

GCP console

  1. Go to the VM instances page
  2. Click the instance name to open the VM instance details page.
  3. Click Stop to stop the instance.
  4. When the instance has stopped, click Edit.
  5. In the Shielded VM section, take one or more of the following actions:

    • Toggle Turn on Secure Boot to enable or disable Secure Boot. Secure Boot helps protect your VM instances against boot-level and kernel-level malware and rootkits. For more information, see Secure Boot.
    • Toggle Turn on vTPM to enable or disable the virtual trusted platform module (vTPM). Having the vTPM enabled enables Measured Boot, which validates the VM pre-boot and boot integrity. For more information, see Virtual Trusted Platform Module (vTPM).
    • Toggle Turn on Integrity Monitoring to enable or disable integrity monitoring. Integrity monitoring lets you monitor and verify the runtime boot integrity of your Shielded VM instances by using Stackdriver. For more information, see Integrity monitoring.
  6. Click the Save button to modify the instance.

  7. Click Start to restart the instance.

gcloud

  1. Change the instance's Shielded VM options using one of the following flags:

    • --[no-]shielded-vm-secure-boot: Enable or disable Secure Boot. Secure Boot helps protect your VM instances against boot-level and kernel-level malware and rootkits. For more information, see Secure Boot.
    • --[no-]shielded-vm-vtpm: Enable or disable the vTPM. Having the vTPM enabled enables Measured Boot, which validates the VM pre-boot and boot integrity. For more information, see Virtual Trusted Platform Module (vTPM).
    • --[no-]shielded-vm-integrity-monitoring: Enable or disable integrity monitoring. Integrity monitoring lets you monitor and verify the runtime boot integrity of your Shielded VM instances using Stackdriver reports. For more information, see Integrity monitoring.

    The following example updates the my-instance VM instance to disable the vTPM:

    gcloud compute instances stop my-instance
    gcloud beta compute instances update my-instance --no-shielded-vm-vtpm
    gcloud compute instances start my-instance

API

  1. To enable or disable Shielded VM options using the REST API, make a PATCH call to the following URL:

    PATCH https://www.googleapis.com/compute/alpha/projects/<project>/zones/zone/instances/<instance>/updateShieldedVmConfig

    You must make a POST https://www.googleapis.com/compute/v1/projects/{project}/zones/{zone}/instances/{resourceId}/stop call before you change Shielded VM options, and a POST https://www.googleapis.com/compute/v1/projects/{project}/zones/{zone}/instances/{resourceId}/start</code> call afterwards.

  2. Specify the Shielded VM options to enable or disable using the following boolean request body items:

    • enableSecureBoot: Enable or disable Secure Boot. Secure Boot helps protect your VM instances against boot-level and kernel-level malware and rootkits. For more information, see Secure Boot.
    • enableVtpm: Enable or disable the vTPM. Having the vTPM enabled enables Measured Boot, which validates the VM pre-boot and boot integrity. For more information, see Virtual Trusted Platform Module (vTPM).
    • enableIntegrityMonitoring: Enable or disable integrity monitoring. Integrity monitoring lets you monitor and verify the runtime boot integrity of your Shielded VM instances using Stackdriver reports. For more information, see Integrity monitoring.

    The following example updates a VM instance to disable Secure Boot and enable integrity monitoring:

    PATCH https://www.googleapis.com/compute/beta/projects/my-project/zones/us-central1-b/instances/my-instance/updateShieldedVmConfig?key={YOUR_API_KEY}
     {
      "enableSecureBoot": false,
      "enableIntegrityMonitoring": true
    }

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Compute Engine Documentation