Google Clouds expands its Confidential Computing portfolio
Google says that the Confidential GKE Nodes are built on the same technology foundation as Confidential VMs, and allow users to keep data encrypted in memory with a node-specific dedicated key that’s generated and managed by the AMD EPYC processor.
Google Cloud, back in July this year, announced the availability of Confidential VMs as a part of its Confidential Computing portfolio. Nearly two months, the company has expanded the portfolio by adding two new products to the lineup.
First is Confidential GKE Nodes. Google says that the Confidential GKE Nodes are built on the same technology foundation as Confidential VMs, and allow users to keep data encrypted in memory with a node-specific dedicated key that’s generated and managed by the AMD EPYC processor.
Under the hood, Confidential GKE Nodes will enable users to configure their GKE cluster to deploy node pools with Confidential VM capabilities underneath. Clusters with Confidential GKE Nodes enabled will automatically enforce the use of Confidential VMs for all your worker nodes. GKE Confidential Nodes will use hardware memory encryption powered by the AMD Secure Encrypted Virtualization feature used by AMD EPYC processors.
As far as the availability is concerned, Google says that the Confidential GKE Nodes will soon be available in beta starting with the GKE 1.18 release.
In addition to this, the company also announced that it was making Confidential VMs generally available, which will be available to all Google Cloud customers in the coming weeks.
Apart from making Confidential VMs available generally, Google announced that it was adding four new functionalities to the feature. The first feature that the company has added is called audit reports, which will now include detailed logs about the integrity of the AMD Secure Processor Firmware that’s responsible for key generation in Confidential VM instances. “We establish an integrity baseline when you first launch your VM and match against it whenever a VM is relaunched. You can also set custom actions or alerts based on these logs,” the company explained in a blog post.
The second functionality that Google has added to Confidential VMs is new policy controls, which will allow users to use the IAM Org Policy to define specific access privileges for Confidential VMs. Users will also be able to disable any non-confidential VMs running in your project. Once this policy is applied, any attempt to start a non-confidential VM within that project will fail.
Google has also provided integration with other enforcement mechanisms. users can use a combination of Shared VPCs, organisation policy constraints, and firewall rules to ensure Confidential VMs can only interact with other Confidential VMs, even when these VMs live inside different projects. Furthermore, users can use VPC Service Controls to define a perimeter of GCP resources for your Confidential VMs.
Lastly, Google has added a feature that ensures that the sharing of secrets is done securely. Confidential VMs can use the virtual Trusted Platform Module (vTPM), and with the go-tpm open source library they can use APIs to bind their secrets to the vTPM of their Confidential VM.