Google Cloud Confidential VM With 2nd Gen AMD EPYC!

Google recently introduced Confidential Computing, with Confidential VM as the first product, and it’s powered by 2nd Gen AMD EPYC!

Here’s an overview of Confidential Computing and Confidential VM, and how they leverage the 2nd Gen AMD EPYC processor!

 

Google Cloud Confidential Computing : What Is It?

Google Cloud encrypts customer data while it’s “at-rest” and “in-transit“. But that data must be decrypted because it can be processed.

Confidential Computing addresses that problem by encrypting data in-use – while it’s being processed. This ensures that data is kept encrypted while in memory and outside the CPU.

 

Google Cloud Confidential VM, Powered By 2nd Gen AMD EPYC

The first product that Google is unveiling under its Confidential Computing portfolio is Confidential VM, now in beta.

Confidential VM basically adds memory encryption to the existing suite of isolation and sandboxing techniques Google Cloud uses to keep their virtual machines secure and isolated.

This will help customers, especially those in regulated industries, to better protect sensitive data by further isolating their workloads in the cloud.

Google Cloud Confidential VM : Key Features

Powered By 2nd Gen AMD EPYC

Google Cloud Confidential VM runs on N2D series virtual machines powered by the 2nd Gen AMD EPYC processors.

It leverages the Secure Encrypted Virtualisation (SEV) feature in 2nd Gen AMD EPYC processors to keep VM memory encrypted with a dedicated per-VM instance key.

These keys are generated and managed by the AMD Secure Processor inside the EPYC processor, during VM creation and reside only inside the VM – making them inaccessible to Google, or any other virtual machines running on the host.

Your data will stay encrypted while it’s being used, indexed, queried, or trained on. Encryption keys are generated in hardware, per virtual machine and are not exportable.

Confidential VM Performance

Google Cloud worked together with the AMD Cloud Solution team to minimise the performance impact of memory encryption on workloads.

They added support for new OSS drivers (name and gvnic) to handle storage traffic and network traffic with higher throughput than older protocols, thus ensuring that Confidential VM will perform almost as fast as non-confidential VM.

Easy Transition

According to Google, transitioning to Confidential VM is easy – all Google Cloud Platform (GCP) workloads can readily run as a Confidential VM whenever you want to.

Available OS Images

In addition to the hardware-based inline memory encryption, Google built Confidential VM on top of Shielded VM, to harden your OS image and verify the integrity of your firmware, kernel binaries and drivers.

Google currently offers images of Ubuntu v18.094, Ubuntu 20.04, Container Optimized OS (COS v81), and RHEL 8.2.

They are currently working with CentOS, Debian and other distributors to offer additional OS images for Confidential VM.

 

Recommended Reading

Go Back To > Computer | BusinessHome

 

Support Tech ARP!

If you like our work, you can help support our work by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!


Leave a ReplyCancel reply