Shielded VMs provide hardened Compute Engine instances with Secure Boot, vTPM, and integrity monitoring for enhanced security and boot integrity.
What are Google Cloud Shielded VMs?
Shielded VMs are hardened Compute Engine instances that offer additional security features to protect VMs from rootkits, bootkits, and other boot-level attacks. The service uses three main technologies: Secure Boot verifies bootloader and kernel integrity, Virtual Trusted Platform Module (vTPM) provides secure key storage and Measured Boot, and integrity monitoring detects changes to the boot process.
These features prevent malware loading during the boot process and enable verification that VMs are running in a trusted state. Shielded VMs use UEFI firmware instead of BIOS for a modern, secure boot process. The vTPM stores measurements of each boot component that can be used for attestation.
Shielded VMs incur no additional costs and can be enabled for any compatible VM. Most Google-provided OS images support Shielded VM features. Custom images must be UEFI-compatible. Integrity events are logged to Cloud Logging and can be used for alerts.
Common Use Cases
Security-Critical Production Workloads
A financial services company enables Shielded VMs for all production systems. Secure Boot prevents loading tampered bootloaders, integrity monitoring alerts on boot anomalies. The security team receives immediate notification of potential compromises.
Compliance for Regulated Industries
A healthcare company uses Shielded VMs for HIPAA-compliant workloads. Boot integrity verification documents for audits that VMs have not been tampered with. vTPM enables secure key storage for encryption applications.
Protection Against Persistent Malware
An e-commerce company protects web servers with Shielded VMs. Rootkits that would infect the boot process are blocked by Secure Boot. On suspected compromise, the vTPM provides attestation data for forensic analysis.
Secure Development Environments
A technology company enables Shielded VMs for developer workstations in the cloud. Secure Boot prevents loading unsigned drivers, integrity monitoring detects unauthorized changes. CI/CD pipelines verify VM integrity before deployments.
Integration with innFactory
As a Google Cloud partner, innFactory supports you with Shielded VMs: activation, image compatibility, integrity monitoring setup, and compliance implementation.
Contact us for a consultation on Shielded VMs and Google Cloud security.
Available Tiers & Options
Shielded VMs
- No additional cost
- Secure Boot
- Integrity monitoring
- vTPM support
- Requires compatible images
Typical Use Cases
Technical Specifications
Frequently Asked Questions
What are Google Cloud Shielded VMs?
Shielded VMs are hardened Compute Engine instances with additional security features. They use Secure Boot, Virtual Trusted Platform Module (vTPM), and integrity monitoring to verify boot integrity and protect against rootkits and bootkits.
Do Shielded VMs cost extra?
No, Shielded VMs incur no additional costs. The security features are included in the standard Compute Engine price. You can enable Shielded VM features for any standard VM.
What is Secure Boot?
Secure Boot verifies that the bootloader and OS kernel are digitally signed by Google or a trusted vendor. This prevents loading malware or tampered bootloaders at VM startup.
What does the vTPM do?
The Virtual Trusted Platform Module (vTPM) stores cryptographic keys and measurements of the boot process. It enables disk encryption with Measured Boot, attestation, and secure key storage.
How does integrity monitoring work?
Integrity monitoring compares boot measurements with a baseline. Deviations trigger an integrity failure in Cloud Logging. You can configure alerts to be notified of boot compromises.
Which images support Shielded VMs?
Most Google-provided images (Debian, Ubuntu, CentOS, Windows Server) support Shielded VMs. Custom images must be UEFI-compatible and can be exported with Shielded VM features.
