In a couple of my previous posts on related technologies, I explored Securing Data in Use Using Confidential Computing and Confidential Computing Implementation Methodologies.

In this post, we’ll be focusing on Azure Cloud Platform’s Confidential Computing Virtual Machines and their advantages.

Tenants that have stringent needs for both security and privacy may use private virtual machines (VMs). A Confidential VM is a form of IaaS Virtual Machine that encrypts and protects your data and apps even when they are in use. Azure’s confidential computing provides VMs with AMD CPUs and SEV-SNP technology.

The Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) technology provides many protections, such as memory encryption, unique CPU keys, encryption for the processor register state, and strong integrity protection, among many others. Confidential VMs combine AMD SEV-SNP with Azure technologies, such as full-disk encryption and Azure Key Vault Managed HSM, to create confidential virtual machines. You may encrypt data in use, in transit, and at rest using private keys.

Confidential VM’s Benefits

  • Encryption for “data in use,” including the status of the processor and the memory of the virtual machine. The CPU generates the keys, which never leave its vicinity.
  • Before initializing a secret VM, the host must be attested to ensure its complete health and compliance.
  • Data at rest” encryption. A Hardware Security Module (HSM) can be utilized to protect the keys, which are only controlled by the tenant.
  • New UEFI boot architecture that supports the guest operating system and provides improved security settings and capabilities.
    A Trusted Platform Module dedicated virtual instance (TPM). In addition to providing services for secure key management, this feature verifies that the VM is in good health. Supports BitLocker use cases.

Microsoft is always working to improve  features matrix, security, supported operating systems, supported regions, and so on for Confidential VM’s. Not all VM Sizes, OS and regions supports Confidential VM’s. I suggest you look at Microsoft’s official documentation for most recent information about VM sizes, supported operating systems, supported regions, pricing, Feature Support and any other Limitations.

Does using confidential VMs cost anything extra?

  1. Since confidential VMs are available in specific sizes, costs may vary from those of general-purpose VMs.
  2. Confidential VMs use a small encrypted virtual machine guest state (VMGS) disk of several megabytes to wrap up the security state of VM components like the vTPM and UEFI bootloader. This disk could lead to a monthly fee for storage.
  3. If you choose to use the optional full-disk encryption, encrypted OS discs will cost more because they take up more space as encrypted VMs can’t be compressed.

Deploying a Confidential VM

You can use the Azure portal to create a confidential VM based on an Azure Marketplace image. Post Sign in to Azure Portal, search for Virtual Machine to deploy a confidential VM.

Choose the supported Region for Confidential VM, Change the security type to Confidential VM.

Choose the Security feature

Choose the supported Confidential VM Image

Choose the appropriate image from Azure Marketplace

Select the appropriate Virtual VM Size

Choose Disk Encryption if required

Click on create Virtual Machine once all validation is passed.

Hope this will be informative for you, please do share if you find worth sharing it.


  • Disclaimer

    The views and opinions expressed on this blog are my own and does not reflect the views and opinions of my employer.