Table of contents
1.
Introduction
2.
Creating a Confidential VM instance
2.1.
Considerations
2.2.
Before you Start
2.3.
Create a Confidential VM instance
2.4.
Enabling higher network bandwidth for C2D machine types
2.5.
Verify AMD SEV is enabled
2.6.
Verify the identity token of a Confidential VM
3.
Defining a perimeter for Confidential VM instances
3.1.
Before you Start
3.2.
Create a Confidential VM perimeter
3.3.
Enforce the perimeter
4.
Frequently Asked Questions
4.1.
What is a confidential VM?
4.2.
What is a confidential computing service?
4.3.
Why do we need confidential computing?
5.
Conclusion
Last Updated: Mar 27, 2024

About Confidential Vm

Author Sanjana Yadav
0 upvote

Introduction

Compute Engine VMs operate with their memory encrypted with Google Cloud's Confidential Virtual Machine (Confidential VM) service, giving extra security against accidental data access while in operation. Confidential VMs are more trustworthy than normal VMs for various threat models, allowing them to be utilized for sensitive tasks.

This image talks about flow chart of confidential VM

Let us understand these Confidential VMs in depth.

Creating a Confidential VM instance

Considerations

Before you Start

  1. Create an account if you're new to Google Cloud to see how our products function in real-world circumstances. In addition, new clients receive $300 in free credits to run, test, and deploy workloads.
  2. Select or create a Google Cloud project through the Google Cloud console's project picker page.
  3. Check that billing for your Cloud project is enabled.
  4. Enable the Compute Engine API.

Create a Confidential VM instance

Complete the following steps to establish a Confidential VM.

  1. Navigate to the VM Instances page in the console.
  2. Choose Create instance.
  3. Check the Confidential VM Service box.
  4. Examine the modified parameters when you activate the service in the Enable Confidential Computing service window. If the following fields are set to incompatible values, they can be included.
    • Series and Machine type.
    • Region and zone.
    • Boot disk image.
    • On host maintenance. 
    • Network interface card.
  5. Click Enable.
  6. Using the AMD EPYC Milan processor (optional). 
    • Go to the Machine setup area to configure your instance for the AMD EPYC Milan Processor.
    • Select AMD Milan or later, after expanding CPU Platform and GPU.
  7. Check that you are OK with these options, then click Create.

You're taken back to the VM instances page, where you may check the status and information of your new instance. When you see a green checkmark next to Status, your new Confidential VM is ready to use.

Enabling higher network bandwidth for C2D machine types

High-bandwidth networking is supported by the three biggest C2D Compute Engine VM shapes (32, 56, and 112). When you choose a Tier 1 network capacity configuration, the egress bandwidth is increased from 32 Gbps to 50 or 100 Gbps. The instance must be running the gVNIC virtual network driver to attain the higher Tier 1 bandwidth speeds.

Verify AMD SEV is enabled

To confirm that AMD SEV is active for your VM, follow the steps below to login to your instance and then inspect the dmesg log.

  1. Navigate to the VM Instances page in the console.
  2. Locate the row for your new Confidential VM instance in the table on the Instances page.
  3. Click SSH in the same row to open a terminal window for dealing with your Confidential VM instance.
  4. Running the dmesg command in the terminal window on various Linux distributions may allow you to confirm that the Confidential VM instance is utilizing AMD SEV.
    dmesg | grep SEV | head

You should get a response indicating that AMD Secure Encrypted Virtualization (SEV) is active.

Verify the identity token of a Confidential VM

Your applications can request the VM's unique identity token from the metadata server before transferring any sensitive information to the VM instance. The identity token contains instance-specific information such as the instance ID, creation time, and licensing codes for the instance's pictures. The token also includes a claim that may be used to determine whether the VM is secret. The instance confidentiality claim for a Confidential VM has a value of 1.

Defining a perimeter for Confidential VM instances

Before you Start

The following administrative roles are required to set up a security perimeter:

  • Organization Admin (resourcemanager.organizationAdmin)
  • Shared VPC Admin (compute.xpnAdmin and resourcemanager.projectIamAdmin)
  • Service Project Admin (compute.networkUser)

Create a Confidential VM perimeter

Do the following to create a security barrier around your Confidential VM instances:

  1. Create a confidential-perimeter folder beneath the organization to establish your Confidential VM perimeter.
  2. Create a shared VPC host project within the folder that defines the Confidential Computing perimeter.

Once you've developed a VPC host project, share it with your networking team by providing them access.

Enforce the perimeter

Apply the following organization policy restrictions to your confidential-perimeter folder as stated to prohibit service projects from enabling non-Confidential VM instances to communicate with the perimeter:

Table that contains constraint, their set to and description.

Frequently Asked Questions

What is a confidential VM?

A Confidential VM is a Compute Engine VM that ensures your data and apps remain secret and secured while in use. You may utilize a Confidential VM as part of your security strategy to prevent sensitive data or workloads from being exposed during processing.

What is a confidential computing service?

Confidential computing is a concept in which encrypted data is handled in memory to limit access and safeguard data in use. Confidential computing is a notion pushed by the Confidential Computing Consortium, a group of organizations interested in developing technologies to enable data security.

Why do we need confidential computing?

End-to-end security encryption is possible with confidential computing. Protects your data while it is being processed. Cloud clients have greater control over their data and processing at all times. Improves transparency and user confidence.

Conclusion

In this article, we have extensively discussed Confidential VM and confidential computing. Our discussion mainly focused on creating and defining a Confidential VM instance.

We hope this blog has helped you enhance your Google cloud knowledge. To learn more about Google cloud concepts, refer to our articles on All about GCP Certifications: Google Cloud Platform | Coding Ninjas Blog.  

Refer to our guided paths on the Coding Ninjas Studio platform to learn more about DSA, DBMS, Competitive Programming, Python, Java, JavaScript, etc. 

Refer to the links problemstop 100 SQL problemsresources, and mock tests to enhance your knowledge.

For placement preparations, visit interview experiences and interview bundle.

Do upvote our blog to help other ninjas grow. Happy Coding!

An image that displays a thankyou message from coding ninjas.

Live masterclass