Shielded VM
A security feature in Google Cloud that protects virtual machines against rootkits, bootkits, and other malicious activities targeting the boot process and kernel integrity.
| Category | Infrastructure Security & Hardening |
|---|---|
| Last page update | 19 days ago |
| Pricing Details | No additional costs; included with Google Cloud Compute Engine. |
| Target Audience | Cloud administrators, security professionals, and organizations using Google Cloud. |
Shielded VM in Google Cloud is designed to protect virtual machines (VMs) against rootkits, bootkits, and other malicious activities that target the boot process and kernel integrity. Here’s a technical overview of its architecture and operational considerations:
Shielded VMs leverage advanced platform security features to harden VMs. Key components include:
- Secure Boot: Ensures that only authenticated software is loaded during the boot process by verifying digital signatures of all boot components. This is achieved using UEFI firmware 2.3.1 and Google's Certificate Authority.
- Virtual Trusted Platform Module (vTPM): A virtualized TPM that validates the guest VM's pre-boot and boot integrity, generates and protects encryption keys, and enables measured boot to create an integrity policy baseline.
- Integrity Monitoring: Continuously monitors the VM's runtime boot integrity and reports any deviations from the established baseline, providing tamper-evident attestation claims in Cloud Logging and Cloud Monitoring.
To enable Shielded VM, you must stop the instance, update its configuration to include vTPM, integrity monitoring, and optionally secure boot if no custom or unsigned drivers are used. This can be done via the Google Cloud console, Cloud shell commands, or through Terraform configurations.
- Enabling Shielded VM: Requires explicit configuration for each VM instance or through organizational policies to enforce Shielded VM for all new instances.
- Compatibility and Standards: vTPM is compatible with Trusted Computing Group TPM 2.0 specifications and is FIPS 140-2 L1 verified.
- Monitoring and Logging: Integrity reports are available in Cloud Monitoring, and detailed logs can be reviewed in Cloud Logging to identify any integrity failures or changes.
- No Additional Costs: There is no separate charge for using Shielded VMs; the feature is included with Google Cloud Compute Engine.
While Shielded VM significantly enhances security, it does not replace other essential security practices such as patching, closing unnecessary management ports, and avoiding public IP addresses for VMs. Additionally, updating the integrity policy baseline is necessary after expected system changes to avoid false positives.