Shielded VMs beta

Hardened virtual machines on Google Cloud Platform.

Shielded VMs

Overview

Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and bootkits. Using Shielded VMs helps protect enterprise workloads from threats like remote attacks, privilege escalation, and malicious insiders. Shielded VMs leverage advanced platform security capabilities such as secure and measured boot, a virtual trusted platform module (vTPM), UEFI firmware, and integrity monitoring.

Quickly protect vms

Quickly protect VMs against advanced threats

In just a few clicks, you can enable Shielded VMs to help protect against threats such as malicious project insiders, malicious guest firmware, and kernel- or user-mode vulnerabilities.

Ensure workloads

Ensure workloads are trusted and verifiable

Shielded VMs help protect your virtual machines against rootkits and boot- and kernel-level malware with secure and measured boot capabilities. Using a vTPM, Shielded VMs provide a virtual root-of-trust to verify VM identity and ensure they’re part of your specified project and region.

Help protect secrets

Help protect secrets against exfiltration and replay

Using Shielded VMs, secrets generated or protected by a vTPM are sealed to a VM and only revealed once integrity is verified.

Shielded VMs features

Verifiable integrity with secure and measured boot

Secure boot helps prevent malicious code from being loaded early in the boot sequence. Measured boot ensures the integrity of the bootloader and kernel and boot drivers to guard against malicious modifications to the VM.

vTPM exfiltration resistance

Validate your guest VM pre-boot and boot integrity using vTPM technology, which is compatible with Trusted Computing Group TPM 2.0 specifications and is FIPS 140-2 L1 verified. A vTPM generates and securely stores encryption keys or sensitive data on guest operating systems.

Trusted UEFI firmware

Trusted firmware is based on Unified Extended Firmware Interface (UEFI) 2.3.1, which replaces legacy BIOS sub-systems and enables UEFI Secure Boot capability.

Tamper-evident attestations

Gain insight into the integrity state of Shielded VMs with tamper-evident attestation claims available in Stackdriver Logging and Monitoring. These integrity measurements help identify changes from the “healthy” baseline of your VM and current runtime state.

Live migration and patching

Keep your virtual machine instances running even when a host system event occurs, such as a software or hardware update.

Shielded VMs pricing

There is no separate charge for using Shielded VMs.

Resources and integrations

Try tutorials, launch quickstarts, and explore reviews.

Shielded VMs documentation

Shielded VMs documentation

Google infrastructure security design

Google Infrastructure Security Design Overview

Titan Chip in-depth

Titan Chip in-depth

Google Cloud

Get started

Learn and build

New to GCP? Get started with any GCP product for free with a $300 credit.

Need more help?

Our experts will help you build the right solution or find the right partner for your needs.

This product is in beta. For more information on our product launch stages, see here.