A Confidential VM is a Compute Engine VM that uses a specific machine type and keeps your sensitive code and other data encrypted in memory during processing, that is, it performs encryption-in-use. Together with encryption-at-rest and encryption-in-transit, Confidential VM can help keep your data and applications encrypted at all times.
For a more detailed conceptual overview, see Confidential VM overview.
To get started using Confidential VM, try the quickstart or see Create a Confidential VM instance.
You can manage your Confidential VMs in some of the following ways:
You can use organization policy constraints to ensure that instances created in your organization are Confidential VMs.
You can use Cloud Monitoring and Cloud Logging to monitor and validate your Confidential VM instances.
You can use shared Virtual Private Cloud (VPC) networks, organization policy constraints, and firewall rules to set up a security perimeter that ensures your Confidential VM instances can only interact with other Confidential VM instances.
With the A3 machine series, you can create a Confidential VM instance that uses Intel TDX and has an attached GPU (Preview). For more information, see Confidential VM supported configurations.
For enhanced block storage security with Confidential VM, you can use Confidential mode for Hyperdisk Balanced. Confidential mode for Hyperdisk Balanced adds another layer of security by enabling hardware-based encryption of disk data. Hyperdisk volumes in Confidential mode use Cloud HSM and Trusted Execution Environments (TEE) to provide additional cryptographic isolation. For more information about TEEs, see Trusted Execution Environment Explainer.