Confidential VM overview

Confidential VM instances are a type of Compute Engine virtual machine. They use hardware-based memory encryption to help ensure your data and applications can't be read or modified while in use.

Confidential VM instances offer the following benefits:

  • Isolation: Encryption keys are generated by—and reside solely in—dedicated hardware, inaccessible to the hypervisor.

  • Attestation: You can verify the identity and the state of the VM, to make sure that key components haven't been tampered with.

This type of hardware isolation and attestation is known as a Trusted Execution Environment (TEE).

You can enable the Confidential VM service whenever you create a new VM instance.

Confidential Computing technologies

When setting up a Confidential VM instance, the type of Confidential Computing technology that's used is based on the machine type and CPU platform you choose. When choosing a Confidential Computing technology, make sure it fits your performance and cost needs.


AMD Secure Encrypted Virtualization (SEV) on Confidential VM offers hardware-based memory encryption through the AMD Secure Processor, and boot-time attestation through Google's vTPM.

AMD SEV offers high performance for demanding computational tasks. The performance difference between an SEV Confidential VM and a standard Compute Engine VM can range from nothing to minimal, depending on the workload.

Unlike other Confidential Computing technologies on Confidential VM, AMD SEV machines that use the N2D machine type support live migration.

Read the AMD SEV whitepaper.


AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) expands on SEV, adding hardware-based security to help prevent malicious hypervisor-based attacks like data replay and memory remapping. Attestation reports can be requested at any time directly from the AMD Secure Processor.

Because AMD SEV-SNP offers more security features, it's more resource-intensive than SEV. In particular, depending on the workload, you might experience lower network bandwidth and higher network latency.

Read the AMD SEV-SNP whitepaper.

Intel TDX

Intel Trust Domain Extensions (TDX) (Preview) is a hardware-based TEE. TDX creates an isolated trust domain (TD) within a VM, and uses hardware extensions for managing and encrypting memory.

Intel TDX augments defense of the TD against limited forms of attacks that use physical access to the platform memory, such as offline, dynamic random access memory (DRAM) analysis and active attacks of DRAM interfaces, including capturing, modifying, relocating, splicing, and aliasing memory contents.

Read the Intel TDX whitepaper.

Confidential VM services

In addition to Compute Engine, the following Google Cloud services make use of Confidential VM:

What's next

Read about Confidential VM supported configurations.