This chapter covers Confidential Computing on Google Cloud Platform (GCP), a critical security technology that protects data in use by encrypting it in memory. For the ACE exam, Confidential Computing appears under Objective 5.2 (Data Encryption Options) and typically accounts for 2-4% of questions. You will need to understand the core concepts, supported services (Confidential VMs, Confidential GKE Nodes, Confidential Dataproc, and Confidential Space), and how to enable and verify them. The exam focuses on use cases, limitations, and how Confidential Computing differs from encryption at rest and in transit.
Jump to a section
Confidential Computing is like a high-security bank vault with a unique feature: the vault's interior is completely opaque to everyone, including the bank tellers who process transactions. Imagine a bank where customers deposit sensitive data (like a secret recipe) into a vault. The vault is made of a special material that prevents anyone—even the bank manager or the security guards—from seeing inside while the data is being processed. A trusted third party, like an auditor, verifies the vault's design and proves that it has no hidden cameras or peepholes. Each time data enters the vault, it is encrypted with a key that only the vault's internal processor knows. The processor decrypts the data, performs the required computation (e.g., analyzing the recipe), and re-encrypts the result before outputting it. The bank employees can see the encrypted data going in and the encrypted result coming out, but they never see the plaintext data or intermediate calculations. If someone tries to tamper with the vault (e.g., drilling a hole), a tamper-evident seal breaks and the vault self-destructs the keys. This mirrors how Confidential VMs use AMD SEV (Secure Encrypted Virtualization) to encrypt memory in use, with the hypervisor and host OS having no access to the decryption keys. The attestation report, like the auditor's certificate, proves the environment is genuine and unmodified.
What is Confidential Computing and Why Does It Exist?
Confidential Computing is a cloud security technology that encrypts data while it is being processed—i.e., in use. Traditional encryption protects data at rest (storage) and in transit (network), but data in memory (RAM) is typically plaintext and accessible to the host operating system, hypervisor, and anyone with physical access to the server. Confidential Computing addresses this gap by creating a hardware-based Trusted Execution Environment (TEE) that isolates the workload from the host and encrypts memory with a key not accessible to the cloud provider.
On GCP, Confidential Computing is built on AMD EPYC processors with Secure Encrypted Virtualization (SEV) technology. SEV encrypts the memory of each virtual machine (VM) with a unique, ephemeral key generated by the AMD secure processor. The key is never exposed to the hypervisor (KVM) or the host OS. Even Google's infrastructure cannot read the VM's memory. The encryption is transparent to the guest OS and applications—they run normally without modification.
How It Works Internally: The Mechanism
Hardware Foundation: AMD SEV (Secure Encrypted Virtualization) is a feature of AMD EPYC processors. It uses an on-die Advanced Encryption Standard (AES) engine to encrypt memory pages as they are written to DRAM and decrypt them when read. The encryption key is managed by the AMD Secure Processor (a separate ARM Cortex-A5 core inside the CPU package).
Key Generation and Management: When a Confidential VM is created, the AMD Secure Processor generates a unique VM-specific key. This key is stored in the Secure Processor's internal memory and is never written to DRAM. The key is used to encrypt the VM's memory. The hypervisor (KVM) does not have access to this key; it only manages the VM's lifecycle but cannot read its memory.
Memory Encryption: Every memory write by the VM is encrypted on-the-fly by the AES engine before going to DRAM. Every read is decrypted. This is transparent to the guest OS. The encryption covers all memory used by the VM, including the guest kernel, user-space applications, and data.
Attestation: To prove that a VM is running in a genuine TEE, GCP provides a remote attestation mechanism. The VM can request an attestation report from the AMD Secure Processor. This report includes a measurement (hash) of the VM's initial state (firmware, kernel, etc.) and is signed by the AMD Secure Processor's attestation key. The report can be verified by third parties using AMD's public key. This allows the workload owner to confirm that the VM is a genuine Confidential VM and has not been tampered with.
Secure Boot: Confidential VMs also leverage Secure Boot to ensure that only signed OS images are loaded. This prevents bootkits or rootkits from modifying the VM's initial state.
Key Components, Values, and Defaults
Confidential VM Instance Types: Only certain machine series support Confidential Computing: N2D, C2D, and M1 (Tau T2D is not supported). The minimum vCPU count is 2 for N2D and C2D, and 4 for M1. Memory must be at least 4 GB per vCPU (e.g., for 2 vCPUs, memory must be >=8 GB).
Operating Systems: Supported OS images include Ubuntu 20.04/22.04 LTS, RHEL 8/9, Rocky Linux 8/9, and Container-Optimized OS (COS) with containerd. Windows Server is not supported.
Enablement: To create a Confidential VM, you must set the --confidential-compute flag during VM creation. Additionally, you must enable Secure Boot (--shielded-secure-boot). The VM must use a custom image or a supported public image. You cannot enable Confidential Compute on an existing VM; it must be created from scratch.
Performance Impact: Memory encryption introduces a small performance overhead (typically 2-8% depending on workload). The overhead comes from AES encryption/decryption on each memory access. Memory-intensive workloads may see higher overhead.
Networking: Confidential VMs support all standard GCP networking features, including VPC, subnet, firewall rules, and load balancing. However, some advanced features like live migration are not supported. Live migration is disabled for Confidential VMs because the encryption keys are tied to the physical host; moving the VM would require key transfer, which is not supported.
Pricing: Confidential VMs are priced at the same rate as regular VMs of the same machine type. There is no additional charge for Confidential Computing itself. However, you must use specific machine types that may have higher base pricing.
Configuration and Verification Commands
Creating a Confidential VM using gcloud:
gcloud compute instances create confidential-vm-1 \
--zone=us-central1-a \
--machine-type=n2d-standard-2 \
--confidential-compute \
--shielded-secure-boot \
--image-family=ubuntu-2204-lts \
--image-project=ubuntu-os-cloudVerifying Confidential VM status:
gcloud compute instances describe confidential-vm-1 --zone=us-central1-a --format="value(confidentialInstanceConfig)"This returns enableConfidentialCompute: true if the VM is a Confidential VM.
Inside the VM, verify SEV is active:
dmesg | grep -i sevLook for lines indicating SEV is enabled. On Ubuntu, you can also check /sys/kernel/security/sev/.
Attestation Example (using a script):
The guest can call the AMD Secure Processor to get an attestation report. Google provides a tool called gcloud confidential-vms attest (part of the gcloud CLI) to fetch and verify attestation reports.
gcloud confidential-vms attest --instance=confidential-vm-1 --zone=us-central1-aThis outputs a signed attestation report in JSON format.
How Confidential Computing Interacts with Related Technologies
Shielded VMs: Confidential VMs require Shielded VM features, specifically Secure Boot, but not necessarily vTPM or Integrity Monitoring. However, enabling Secure Boot is mandatory.
Customer-Managed Encryption Keys (CMEK): CMEK protects data at rest (e.g., Persistent Disk). Confidential Computing protects data in use. They are complementary. You can use CMEK to encrypt the boot disk of a Confidential VM.
Cloud HSM: Cloud HSM can be used to manage keys for attestation or to protect data before it enters the Confidential VM. However, the memory encryption keys are managed entirely by the AMD Secure Processor, not by Cloud HSM.
Google Kubernetes Engine (GKE): Confidential GKE Nodes allow pods to run in Confidential VMs. This is achieved by using GKE with Confidential VM node pools. Pods scheduled on these nodes benefit from memory encryption.
Confidential Space: A newer service that provides a secure enclave for data-sharing collaborations. It uses Confidential VMs and adds additional isolation and attestation for multi-party workflows.
Supported Services
Confidential VMs: The foundational service. Any workload that can run on a supported OS can be deployed on a Confidential VM.
Confidential GKE Nodes: GKE clusters can use Confidential VMs as node pools. This encrypts pod memory. Requires GKE version 1.23+ and Container-Optimized OS with containerd.
Confidential Dataproc: Dataproc clusters can use Confidential VMs for worker nodes. This protects data processed by Spark or Hadoop jobs.
Confidential Space: A managed environment for confidential computing collaborations. It provides a pre-configured Confidential VM with attestation and data access controls.
Limitations
Live migration is not supported. If a host needs maintenance, the VM is terminated, not migrated.
Not all machine types are supported. Only N2D, C2D, and M1 with specific configurations.
Windows Server is not supported.
Some OS features like nested virtualization are not available.
The attestation mechanism is complex and requires scripting to automate verification.
Performance overhead from memory encryption may be significant for memory-bandwidth-intensive workloads.
Choose a supported machine type
Select a machine type that supports Confidential Computing. On GCP, only N2D, C2D, and M1 series are supported. The machine must have at least 2 vCPUs (4 for M1) and memory must be at least 4 GB per vCPU. For example, n2d-standard-2 (2 vCPUs, 8 GB memory) is valid. You cannot use custom machine types. This step is critical because choosing an unsupported type will cause the creation to fail with an error.
Select a supported OS image
Choose a public image from the supported list: Ubuntu 20.04/22.04 LTS, RHEL 8/9, Rocky Linux 8/9, or Container-Optimized OS with containerd. You can also use a custom image based on these OSes, but it must have Secure Boot enabled and the necessary kernel modules for SEV. Windows Server images are not supported. Using an unsupported image will result in a creation error.
Enable Confidential Compute and Secure Boot
When creating the VM using gcloud or the console, set the `--confidential-compute` flag and `--shielded-secure-boot` flag. These are required together. Secure Boot ensures that only signed OS components are loaded, preventing tampering before the VM starts. Without Secure Boot, the VM will not be created as a Confidential VM. In the console, check the 'Confidential VM service' box under 'Confidential Computing' and enable 'Secure Boot' under 'Shielded VM'.
Verify the VM is confidential
After creation, verify that the VM is a Confidential VM using `gcloud compute instances describe` and checking the `confidentialInstanceConfig` field. Inside the VM, run `dmesg | grep -i sev` to confirm SEV is active. You can also check the presence of `/sys/kernel/security/sev/`. If these indicators are missing, the VM may not be properly configured.
Perform attestation (optional but recommended)
To prove that the VM is a genuine TEE, request an attestation report using `gcloud confidential-vms attest`. This command contacts the AMD Secure Processor and returns a signed report containing a measurement of the VM's initial state. This report can be verified using AMD's public key. Attestation is essential for workloads that need to prove to third parties that their data is processed in a secure environment.
Scenario 1: Multi-Party Data Collaboration (Confidential Space)
A pharmaceutical company wants to collaborate with a research hospital to analyze patient genomic data without exposing the raw data to each other or to Google. They use Confidential Space, which provisions a Confidential VM with pre-configured secure boot and attestation. Each party uploads encrypted data to Cloud Storage. The Confidential Space VM decrypts the data inside the TEE, runs the analysis, and outputs encrypted results. The VM's attestation report is verified by both parties to ensure no tampering. At scale, they run multiple analyses in parallel using Confidential GKE Nodes. A common misconfiguration is not setting up proper IAM permissions for the Confidential Space service agent, causing attestation failures.
Scenario 2: Financial Services Compliance (Confidential VMs)
A bank needs to process credit card transactions in a PCI-DSS compliant environment. They deploy their payment processing application on Confidential VMs to ensure that even Google's infrastructure cannot access the cardholder data in memory. They use N2D machine types with Ubuntu 22.04. They enable CMEK for the persistent disks and use Confidential VMs for the compute. They also use Cloud Audit Logs to monitor VM creation. A pitfall: they initially tried to enable live migration, which is not supported, causing VM termination during host maintenance. They learned to use managed instance groups with auto-healing to handle VM replacements.
Scenario 3: Intellectual Property Protection (Confidential GKE Nodes)
A startup develops a proprietary machine learning model. They train the model on sensitive customer data using GKE with Confidential Nodes. They create a cluster with a node pool using gcloud container node-pools create with the --confidential-nodes flag. The model and data are protected in memory. They also use Cloud HSM to encrypt model artifacts at rest. A common issue: they forget to use Container-Optimized OS with containerd (the default for GKE), which is required. They also need to ensure the GKE version is 1.23 or later. Performance monitoring shows a 5% overhead on training time due to memory encryption, which is acceptable for their compliance needs.
What the ACE Exam Tests
Objective 5.2 (Data Encryption Options) includes Confidential Computing as a method to encrypt data in use. The exam expects you to:
Identify which machine types support Confidential VMs (N2D, C2D, M1).
Know the prerequisites: Secure Boot, supported OS, minimum vCPU/memory.
Understand that Confidential VMs use AMD SEV to encrypt memory.
Know that live migration is not supported.
Recognize use cases: multi-party computation, sensitive data processing, regulated industries.
Differentiate from encryption at rest (CMEK, CSEK) and in transit (TLS).
Common Wrong Answers and Traps
'Confidential VMs encrypt data in transit.' Wrong. Confidential Computing encrypts data in use (memory). Encryption in transit is handled by TLS.
'Confidential VMs require vTPM.' Wrong. They require Secure Boot, not necessarily vTPM. vTPM is part of Shielded VMs but not mandatory for Confidential VMs.
'Any machine type can be used.' Wrong. Only N2D, C2D, and M1 are supported.
'Windows Server is supported.' Wrong. Windows Server is not supported.
'Confidential VMs support live migration.' Wrong. Live migration is disabled; if a host fails, the VM is terminated.
'Confidential VMs are more expensive than regular VMs.' Wrong. There is no additional charge; you pay the same rate for the machine type.
Specific Numbers and Terms to Memorize
Minimum vCPUs: 2 (4 for M1)
Minimum memory per vCPU: 4 GB
Supported machine families: N2D, C2D, M1
Required flag: --confidential-compute and --shielded-secure-boot
Technology: AMD SEV (Secure Encrypted Virtualization)
Unsupported: live migration, Windows Server, nested virtualization
GKE: Confidential Nodes require GKE 1.23+, COS with containerd
Edge Cases and Exceptions
If you try to enable Confidential Compute on a VM that uses a custom image without Secure Boot, it will fail.
You cannot convert an existing VM to a Confidential VM; you must create a new one.
Confidential VMs cannot be used with certain features like GPUs or sole-tenant nodes.
The attestation report is only valid for a short time; you must verify it promptly.
How to Eliminate Wrong Answers
On exam questions, if an answer mentions 'encrypts data in memory', it is likely correct for Confidential Computing. If it says 'encrypts data in transit' or 'at rest', it is wrong. Also, any answer that suggests live migration is possible is incorrect. If the question asks about prerequisites, look for 'Secure Boot' and 'supported machine type' in the correct answer.
Confidential Computing encrypts data in use (memory) using AMD SEV, protecting it from the host OS and hypervisor.
Only N2D, C2D, and M1 machine types support Confidential VMs; minimum 2 vCPUs (4 for M1) and 4 GB memory per vCPU.
Confidential VMs require Secure Boot and must be enabled at creation time; cannot be added to existing VMs.
Live migration is not supported for Confidential VMs; host maintenance terminates the VM.
Supported OS: Ubuntu 20.04/22.04, RHEL 8/9, Rocky Linux 8/9, COS with containerd; Windows Server is not supported.
Attestation reports can be obtained via gcloud to prove the VM is a genuine TEE.
GKE Confidential Nodes require GKE 1.23+ and COS with containerd.
Confidential Computing is complementary to encryption at rest (CMEK) and in transit (TLS).
No additional cost for Confidential Computing; you pay standard VM pricing for supported machine types.
These come up on the exam all the time. Here's how to tell them apart.
Confidential VMs
Encrypts data in use (memory) using AMD SEV.
Requires Secure Boot and specific machine types (N2D, C2D, M1).
No live migration support.
Provides attestation to verify TEE integrity.
Protects against host OS and hypervisor access.
Shielded VMs
Protects against rootkits and boot-level malware using Secure Boot, vTPM, and Integrity Monitoring.
Works on most machine types (N1, N2, E2, etc.).
Supports live migration.
No memory encryption; data in memory is plaintext.
Does not protect against host OS or hypervisor access to memory.
Mistake
Confidential VMs encrypt data in transit between VMs.
Correct
Confidential VMs encrypt data in use (memory). Data in transit is encrypted separately, typically using TLS. The encryption provided by AMD SEV only protects memory on the host, not network traffic.
Mistake
Confidential VMs require a vTPM (virtual Trusted Platform Module).
Correct
Confidential VMs require Secure Boot, but not vTPM. While Shielded VMs can include vTPM, it is not a requirement for Confidential Computing. The mandatory Shielded VM feature is Secure Boot.
Mistake
You can enable Confidential Computing on an existing VM by editing its configuration.
Correct
Confidential Computing must be enabled at VM creation time. You cannot enable it on an existing VM. You must create a new VM with the `--confidential-compute` flag.
Mistake
All GCP machine types support Confidential VMs.
Correct
Only N2D, C2D, and M1 series support Confidential VMs. Common machine types like N1, E2, N2 (non-D) do not support it. Always check the documentation for the latest list.
Mistake
Confidential Computing is only available as a separate add-on service with extra cost.
Correct
Confidential Computing is a feature of certain machine types at no extra cost. You pay the standard VM pricing for those machine types. There is no 'Confidential Computing' line item on your bill.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Confidential VMs encrypt memory in use using AMD SEV, protecting data even from the host OS. Shielded VMs protect against boot-level tampering via Secure Boot, vTPM, and Integrity Monitoring, but do not encrypt memory. Both can be used together: Shielded VMs are a prerequisite for Confidential VMs (Secure Boot is required).
No. Confidential Computing must be enabled at VM creation time using the `--confidential-compute` flag. You cannot modify an existing VM to become a Confidential VM. You must create a new VM with the required settings.
Confidential VMs do not support live migration. If the host requires maintenance, the VM is terminated. To maintain availability, use managed instance groups with auto-healing to automatically recreate VMs on a different host.
No. Windows Server is not supported for Confidential VMs. Only Linux distributions such as Ubuntu, RHEL, Rocky Linux, and Container-Optimized OS are supported. Check the official documentation for the latest list of supported OSes.
Use `gcloud compute instances describe VM_NAME --zone=ZONE --format="value(confidentialInstanceConfig)"` to confirm `enableConfidentialCompute: true`. Inside the VM, run `dmesg | grep -i sev` to verify SEV is active.
Memory encryption adds a typical overhead of 2-8% depending on the workload. Memory-intensive workloads may see higher overhead. The impact is due to AES encryption/decryption on every memory access. For most applications, the overhead is acceptable for the security benefit.
No. Confidential VMs do not support GPUs. If your workload requires GPUs, you cannot use Confidential Computing. Additionally, other features like sole-tenant nodes and nested virtualization are not supported.
You've just covered Confidential Computing on GCP — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?