Confidential Virtual Machine overview

With the deployment of aleph-vm 1.0.0 client, we are glad to announce the release of Confidential Virtual Machines on Aleph Cloud.

The biggest challenge to date was to deploy Confidential Virtual Machines. These decentralized virtual machines leverage cutting-edge hardware-based encryption to ensure that your data and applications remain fully protected, even during processing.

By deploying Confidential VM instances on Aleph Cloud, you unlock the following key advantages:

• Full Isolation: Encryption keys are generated and managed entirely by dedicated hardware, ensuring that no external entity, including the hypervisor, can access or tamper with them
• Secure Attestation: You can validate the identity and integrity of your VM to guarantee that critical components remain untempered and secure throughout their lifecycle.

This level of security is achieved through a Trusted Execution Environment (TEE), ensuring true data confidentiality across decentralized infrastructure. Enable Confidential VM service easily when setting up your Aleph Cloud virtual machines for enhanced privacy and security.

Feature

Virtual Machines (VMs)

Confidential Virtual Machines (CVMs)

Data Security

Standard security, data may be exposed during processing

Hardware-based memory encryption ensures data confidentiality during processing

Encryption

Typically applied to data at rest or in transit

Encryption extends to data in use (while being processed in memory)

Isolation

Basic isolation through the hypervisor

Full isolation with encryption keys inaccessible to the hypervisor

Trusted Execution Environment (TEE)

Not available or optional depending on the platform

Utilizes a TEE to secure execution and ensure the integrity of sensitive operations

Attestation

Not generally available

Provides attestation to verify the VM’s identity and integrity, ensuring it hasn’t been tampered with

Use Case

General-purpose workloads, less focus on sensitive data protection

High-security workloads requiring data confidentiality during execution

Threat Model

Focuses on protection from external attacks

Protects against internal and external threats, including privileged users or compromised hypervisors

Performance

Standard performance

Slight performance overhead due to encryption and TEE mechanisms

Availability

Widely available on most cloud platforms

More specialized, requires specific hardware support for confidential computing

Deployment Complexity

Straightforward deployment, often pre-configured in cloud platforms

Similar deployment process with added configuration for confidentiality features

The table highlights the key distinctions between standard virtual machines and confidential virtual machines, focusing on enhanced security features that make CVMs suitable for sensitive data processing.

This aids in protecting the confidentiality of your data even if a malicious VM finds a way into your VM’s memory, or a compromised hypervisor reaches into a guest VM.

The Confidential VM labeled as beta, only means that not all node operators are able to provide such technology.