A few months after upgrading its general-purpose (N2D) and compute-optimized (C2D) virtual machines to adopt the latest AMD EPYC technology, Google is now making confidential computing available in preview on these types of machines.
Launched nearly two years ago, Confidential Computing is Google’s nickname for privacy and security-focused cloud virtual machines that not only grant that data is encrypted in transit and at rest, but also in memory:
Google Cloud Confidential Computing products protect the data used by performing computations in a hardware-isolated environment, encrypted with processor-managed keys and unavailable to the operator.
To this end, Google Confidential Computing leverages AMD Secure Encrypted Virtualization (SEV) and other security technologies available on AMD EPYC processors to ensure guest and hypervisor isolation running in the same virtual machine . The advantage of confidential computing over other techniques for ensuring in-memory cryptography is that it provides an easy way to run native x86 applications in a trusted execution environment provided the guest is running an operating system designed for this use case.
Until now, Google Confidential Computing was only available on machines with 2nd Gen AMD EPYC processors and not on newer machines using 3rd Gen EPYC processors, creating a gap for customers requiring Maximum privacy on the latest hardware available.
According to Google, N2D machines using 3rd Gen EPYC processors provided an average 30% improvement in price-performance ratio over 2nd Gen processors. Google hasn’t released specific performance figures for the confidential computing machines, but they say they’ve worked closely with AMD to ensure memory encryption doesn’t interfere with workload performance.
As mentioned, Google offers first-hand confidential information on N2D and C2D machine types. N2D are universal machines allowing up to 224 vCPUs and 8 GB of memory per vCPU, while C2D are compute-optimized machines that maximize performance per core and provide up to 112 vCPUs with 4 GB of memory per vCPU.
AMD EPYC processors not only power Google’s products aimed at ensuring data privacy through cryptography, but also Azure, AWS’ and others.
On a related note, Google Project Zero recently revealed a number of security issues affecting AMD EPYC SEV processors, which were quickly fixed by AMD.