Confidential VM instances are a type of Compute Engine virtual machine. Confidential VM includes inline hardware-based memory encryption to help ensure data and applications cannot be read or modified during processing or while in use (i.e., data-in-use encryption).
| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| confidential_vm | Confidential VM | protect | minimal | T1212 | Exploitation for Credential Access |
Comments
Confidential VM main memory encryption is performed using dedicated hardware within the memory controllers. Confidential VM generates encryption keys in dedicated hardware which is inaccessible to the hypervisor, protecting against Exploitation for Credential Access from outside the VM.
References
|
| confidential_vm | Confidential VM | protect | partial | T1552.007 | Container API |
Comments
Confidential VM main memory encryption is performed using dedicated hardware within the memory controllers. Confidential VM can be used with Google Kubernetes Engine Nodes to encrypt data in-use for these workloads.
References
|
| confidential_vm | Confidential VM | protect | significant | T1565.003 | Runtime Data Manipulation |
Comments
Confidential VM main memory encryption is performed using dedicated hardware within the memory controllers. Each controller includes a high-performance Advanced Encryption Standard (AES) engine. The AES engine encrypts data as it is written to DRAM or shared between sockets, and decrypts it when data is read.
References
|