About Confidential VM
A Confidential VM is a Compute Engine VM that uses a
specific machine type
and keeps your sensitive code and other data encrypted in memory during
processing, that is, it performs encryption-in-use.
Together with encryption-at-rest
and encryption-in-transit,
Confidential VM can help keep your data and applications encrypted at
all times.
For a more detailed conceptual overview, see
Confidential VM overview.
To get started using Confidential VM, see Create a Confidential VM instance.
You can manage your Confidential VMs in some of the following ways:
For enhanced block storage security with Confidential VM, you can use
Confidential mode for Hyperdisk Balanced.
Confidential mode for Hyperdisk Balanced adds another layer of security by enabling hardware-based encryption
of disk data. Hyperdisk volumes in Confidential mode use
Cloud HSM and Trusted Execution Environments (TEE) to
provide additional cryptographic isolation. For more information about TEEs, see
Trusted Execution Environment Explainer.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-26 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eConfidential VMs are Compute Engine VMs that encrypt sensitive code and data in memory during processing, using N2D, C2D, \u003ccode\u003ec3-standard-*\u003c/code\u003e, or C3D machine types.\u003c/p\u003e\n"],["\u003cp\u003eConfidential VMs provide encryption-in-use, complementing encryption-at-rest and encryption-in-transit, ensuring continuous data and application encryption.\u003c/p\u003e\n"],["\u003cp\u003eOrganization policies can be implemented to mandate the creation of Confidential VMs, and Cloud Monitoring and Cloud Logging are available to monitor and validate Confidential VM instances.\u003c/p\u003e\n"],["\u003cp\u003eFor enhanced security, Confidential mode for Hyperdisk Balanced can be used with Confidential VMs, leveraging hardware-based disk data encryption through Cloud HSM and trusted execution environments (TEEs).\u003c/p\u003e\n"],["\u003cp\u003eSecurity perimeter for Confidential VM interaction can be set up using shared VPC networks, org policies and firewall rules, allowing them to interact only with other Confidential VM instances.\u003c/p\u003e\n"]]],[],null,["# About Confidential VM\n\n*** ** * ** ***\n\nA Confidential VM is a Compute Engine VM that uses a\n[specific machine type](/confidential-computing/confidential-vm/docs/supported-configurations#machine-type-cpu-zone)\nand keeps your sensitive code and other data encrypted in memory during\nprocessing, that is, it performs *encryption-in-use* .\nTogether with [*encryption-at-rest*](/security/encryption/default-encryption)\nand [*encryption-in-transit*](/security/encryption-in-transit),\nConfidential VM can help keep your data and applications encrypted at\nall times.\n\nFor a more detailed conceptual overview, see\n[Confidential VM overview](/confidential-computing/confidential-vm/docs/confidential-vm-overview).\n\nTo get started using Confidential VM, see [Create a Confidential VM instance](/confidential-computing/confidential-vm/docs/create-a-confidential-vm-instance).\n\nYou can manage your Confidential VMs in some of the following ways:\n\n- You can use organization policy constraints to\n [ensure that instances created in your organization are Confidential VMs](/confidential-computing/confidential-vm/docs/enforce-confidential-vm-use).\n\n- You can use Cloud Monitoring and Cloud Logging to\n [monitor and validate your Confidential VM instances](/confidential-computing/confidential-vm/docs/monitor-integrity).\n\n- You can use shared Virtual Private Cloud (VPC) networks, organization policy\n constraints, and firewall rules to [set up a security perimeter](/confidential-computing/confidential-vm/docs/restrict-confidential-vm-interaction)\n that ensures your Confidential VM instances can only interact with\n other Confidential VM instances.\n\n- With the A3 machine series, you can create a Confidential VM instance\n that uses Intel TDX and has an attached\n GPU. For more information, see\n Confidential VM\n [supported configurations](/confidential-computing/confidential-vm/docs/supported-configurations).\n\nFor enhanced block storage security with Confidential VM, you can use\n[Confidential mode for Hyperdisk Balanced](/compute/docs/disks/disk-encryption#conf_hdb).\nConfidential mode for Hyperdisk Balanced adds another layer of security by enabling hardware-based encryption\nof disk data. Hyperdisk volumes in Confidential mode use\n[Cloud HSM](/kms/docs/hsm) and Trusted Execution Environments (TEE) to\nprovide additional cryptographic isolation. For more information about TEEs, see\n[Trusted Execution Environment Explainer](https://services.google.com/fh/files/misc/confidential_computing_overview.pdf)."]]
