Google revealed on Tuesday that its Confidential Computing portfolio would be extended, with the general availability of Confidential VMs and the addition of Confidential GKE (Google Kubernetes Engine) nodes.
Confidential VMs, launched in beta in July, was the first product in the portfolio of Google Cloud Confidential Computing and Google is making it available to all Google Cloud customers in the coming weeks. The product will include all of the functionality added during the beta stage.
Confidential GKE Nodes, the second product in Google’s Confidential Computing portfolio, will enter beta when GKE 1.18 is released, which should provide more confidential workload options for organisations looking to use Kubernetes clusters with GKE.
Designed with the same technology foundation as Confidential VMs, Confidential GKE Nodes help organisations keep data encrypted into memory using a node-specific dedicated key. This key is created and managed by the AMD EPYC processor, explains Google.
The new software will allow organisations to configure a GKE cluster to only deploy node pools that have Confidential VM capabilities. This automatically enforces the use of Confidential VMs for all worker nodes on clusters that use Confidential GKE Nodes.
According to Google, Confidential GKE Nodes employs hardware memory encryption that uses the Protected Encrypted Virtualization feature of AMD EPYC processors, so all workloads on these nodes are encrypted while in usage.
Confidential VMs too utilise memory encryption to separate workloads and tenants, providing an easy-to-use alternative to ensure workload memory is safe in Google Compute Engine.
Confidential VMs often provide high efficiency, even for challenging computational tasks, according to Google, and ensure that VM memory remains encrypted (using a per-VM key created and managed by the safe processor within AMD EPYC chips).
New features the Internet giant introduces for confidential VMs include compliance audit reports (including comprehensive documentation on the quality of the main generation firmware), new policy limits on confidential computing resources, alignment with other implementation systems, and the ability to securely exchange secrets with confidential VMs.
Organizations can now, through the IAM Org Policy, define specific access privileges for Confidential VMs and may disable non-confidential VMs within the project. In addition, they can combine shared VPCs, policy constraints, and firewall rules so that only confidential VM interaction is permitted or a perimeter of GCP resources is specified for VMs.
Now, confidential VMs ensure secure exchange of information, via the virtual Trusted Platform Module (vTPM). In addition, the go-tpm open source library helps organisations to link secrets to Confidential VM’s vTPM using APIs.