# Google Cloud Confidential Computing Links: [[Google]], [[Google Cloud]], [[Confidential Computing]], [[EPYC]] - [Primary product page with links to everything else](https://cloud.google.com/confidential-computing) - [AMD EPYC Tech Docs and White Papers relating to Google Cloud's Confidential Computing Product](https://www.amd.com/en/processors/server-tech-docs/search?f%5B0%5D=server_document_category%3A16466?utm_campaign=cloudgooglesolutions&utm_medium=redirect&utm_source=301) - Their confidential computing product is still in beta as of [[2022-02]] ### Probably does not offer [[AMD SEV|SEV-SNP]] **Source: [[EPYC#Integrated into Google Cloud Confidential Computing]]** ![[EPYC#Integrated into Google Cloud Confidential Computing]] ## [Confidential Computing Product Page](https://cloud.google.com/confidential-computing) *Encrypt data in-use with Confidential VMs and Confidential GKE Nodes* - Breakthrough technology that allows you to encrypt data in use—while it’s being processed - Simple, easy-to-use deployment that doesn't compromise on performance - Collaborate with anyone, all while preserving the confidentiality of your data - Confidential VMs is Generally Available  - Confidential GKE Nodes is in Preview ### Key features ##### Real-time encryption in use Google Cloud customers can encrypt data in use, taking advantage of security technology offered by modern CPUs (e.g., Secure Encrypted Virtualization extension supported by 2nd Gen AMD EPYC™ CPUs) together with confidential computing cloud services. Customers can be confident that their data will stay private and encrypted even while being processed. ##### Lift and shift confidentiality Our goal is to make Confidential Computing easy. ==The transition to Confidential VMs is seamless—all workloads you run today, new and existing, can run as a Confidential VM. You do not need to make any code changes to your applications to use Confidential VMs. One checkbox—it’s that simple.== ##### Detection of advanced persistent attacks Confidential Computing builds on the protections Shielded VMs offer against rootkit and bootkits. This helps ensure the integrity of the operating system you choose to run in your Confidential VM. ##### Enhanced innovation Confidential Computing can unlock computing scenarios that have previously not been possible. Organizations will now be able collaborate on research in the cloud across geographies, across competitors, all while preserving confidentiality. ##### High performance Confidential VMs offer similar performance to standard N2D VMs. Explore [tech docs and whitepapers](https://www.amd.com/en/processors/server-tech-docs/search?f%5B0%5D=server_document_category%3A16466?utm_campaign=cloudgooglesolutions&utm_medium=redirect&utm_source=301). ### Documentation ##### [Confidential VMs and Compute Engine](https://cloud.google.com/compute/confidential-vm/docs/about-cvm) Learn more about Confidential VMs in Compute Engine, including support for end-to-end encryption, compute-heavy workloads, and more security and privacy features. ##### [Creating a Confidential VM instance](https://cloud.google.com/compute/confidential-vm/docs/quickstart-creating-new-instance) Quickly get up and running with a new Confidential VM instance using default settings in the Google Cloud Console. ##### [Validating Confidential VMs using Cloud Monitoring](https://cloud.google.com/compute/confidential-vm/docs/monitoring) Learn how to use Cloud Monitoring to monitor and validate the integrity of a confidential VM's OS, the integrity and version of the VM's SEV, and more. ##### [APIs & references](https://cloud.google.com/compute/confidential-vm/docs/apis) View APIs, references, and other resources for Confidential VMs. ##### [Confidential GKE Nodes](https://cloud.google.com/kubernetes-engine/docs/how-to/confidential-gke-nodes) Get started with Confidential GKE Nodes ##### [Dataproc Confidential Compute](https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/confidential-compute) Learn how to create a Dataproc cluster that uses [Compute Engine Confidential VMs](https://cloud.google.com/compute/confidential-vm/docs/about-cvm) to provide inline memory encryption. ##### [Ubiquitous data encryption with STET](https://cloud.google.com/compute/confidential-vm/docs/ubiquitous-data-encryption) Learn how to accomplish unified control of data at-rest, in-use, and in-transit with ubiquitous data encryption and the Split-Trust Encryption Tool. ## [Introducing Google Cloud Confidential Computing with Confidential VMs](https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms) Blog post on [[2020-07-14]] ### Runs on 2nd generation [[EPYC]], i.e Confidential VMs run on N2D series VMs powered by 2nd Gen AMD EPYC™ processors. Using the AMD SEV feature, Confidential VMs offer high performance for the most demanding computational tasks, while keeping VM memory encrypted with a dedicated per-VM instance key that is generated and managed by the AMD EPYC processor. These keys are generated by the AMD Secure Processor during VM creation and reside solely within it, making them unavailable to Google or any VMs running on the host. ## [Google & AMD Expand The Confidential Computing Ecosystem](https://www.storagereview.com/news/google-amd-expand-the-confidential-computing-ecosystem) - This piece is mosly about Google's partnerships relating te Confidential Computing StorageReview on [[2021-01-04]] (excerpts) Google has announced Confidential Computing virtual machines (VMs) on the Google Compute Engine, powered by 2nd Gen AMD EPYC processors’ security. Within the disclosure, Google declared they had completed the rollout of Confidential Computing to general availability in nine regions; made possible to partners such as AMD, Red Hat, SUSE, Thales, and others. Confidential Computing can provide a flexible, isolated, hardware-based trusted execution environment, allowing adopters to protect their data and sensitive code against malicious access and memory snooping while data is in use. Confidential Computing (or Confidential VMs) is a relatively new concept to encrypt data in use in the system’s main memory while still offering high performance, according to Google. This solution addresses numerous organizations’ key security concerns in migrating their sensitive applications to the cloud and safeguarding their most valuable information while in-use by their applications. ==Google put high expectations on the ecosystem; and is confident that in a few years, all virtual machines (VMs) in the cloud would be Confidential VMs.== Customers will have better control of their data, enabling them to secure their workloads better and collaborate in the cloud with confidence. - "a few years" is a really short timeline ### AMD on Confidential Computing Benefits The 2nd Gen AMD EPYC processors used by Google for its Confidential VMs uses an advanced security feature called Secure Encrypted Virtualization (SEV). SEV is available on all AMD EPYC processors. When enabled by an OEM or cloud provider, it encrypts the data-in-use on a virtual machine, helping to keep it isolated from other guests, the hypervisor, and even the system administrators. The SEV feature works by providing each virtual machine with an encryption key that separates guests and the hypervisor from one another. These keys are created, distributed, and managed by the AMD Secure Processor. ==The benefit of SEV is that customers don’t have to re-write or re-compile applications to access these security features.== ^2f64b3 ### [[Organizations/Open-source/Red Hat]] Red Hat believes that Confidential Computing is one fundamental approach to extend security from on-premises deployments into the cloud. Red Hat Enterprise Linux is designed to handle the needs of customers across on-premises and hybrid cloud environments. Customers need stability, predictability, and management solutions that scale with their workloads, which is why Confidential Computing solutions are enabled in Red Hat’s product portfolio. For these customers, Red Hat seeks to help them make the shift into a truly open hybrid cloud environment, expanding their digital transformation opportunities. Confidential Computing will allow customers to provide more competitive solutions while maintaining data privacy and protection assurance to their customers. ### [[SUSE]] Working closely with AMD, SUSE added upstream support for AMD EPYC SEV processor to the Linux Kernel and was the first to announce Confidential VM support in SUSE Linux Enterprise Server 15 SP1 available in the Google Cloud Marketplace. These innovations allow their customers to take advantage of the scale and cost savings of Google Cloud Platform and the mission-critical manageability, compliance, and support. This technology opens up new areas of migration opportunities for legacy on-premises workloads, custom applications, and Private, and Government workloads that require the utmost security and compliance requirements once considered not cloud-ready in the past. ### [[Canonical]] The collaboration between Google and Canonical ensures that Ubuntu is optimized for GCP operations at scale. Confidential Computing requires multiple pieces to align. Canonical said they are delighted to offer full Ubuntu support for this crucial capability at the outset with Google. Memory encryption with hardware key management and attestation prevents the hypervisor’s compromise from becoming a compromise of guest data or integrity. Canonical Ubuntu fully supports Confidential Computing on Google Cloud, providing a new trust level in public cloud infrastructure. ## [Introducing Google Cloud Confidential Computing with Confidential VMs](https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms) [[Google Cloud]] Blog on [[2020-07-14]] (excerpts) Confidential VMs, now in beta, is the first product in Google Cloud’s Confidential Computing portfolio. We already employ a variety of isolation and sandboxing techniques as part of our cloud infrastructure to help make our multi-tenant architecture secure. Confidential VMs take this to the next level by offering memory encryption so that you can further isolate your workloads in the cloud. ==Confidential VMs can help all our customers protect sensitive data, but we think it will be especially interesting to those in regulated industries.== - regulatory compliance / circumvention is a recurring theme **Enabling new possibilities** Starting with [Asylo](https://cloud.google.com/blog/products/gcp/introducing-asylo-an-open-source-framework-for-confidential-computing), an open-source framework for confidential computing, our focus has been to ensure that confidential computing environments are easy to deploy and use, offer high performance, and are applicable to any workload you choose to run in the cloud. We believe that you shouldn’t have to compromise on usability, flexibility, performance, or security.   With the beta launch of Confidential VMs, we’re the first major cloud provider to offer this level of security and isolation while giving customers a simple, easy-to-use option for newly built as well as “lift and shift” applications.