Confidential Virtual Machine overview
With the deployment of aleph-vm 1.0.0 client, we are glad to announce the release of Confidential Virtual Machines on Twentysix Cloud.
The biggest challenge to date was to bring Confidential Virtual Machines on aleph.im. These decentralized virtual machines leverage cutting-edge hardware-based encryption to ensure that your data and applications remain fully protected, even during processing.
By deploying Confidential VM instances on aleph.im, you unlock the following key advantages:
• Full Isolation: Encryption keys are generated and managed entirely by dedicated hardware, ensuring that no external entity, including the hypervisor, can access or tamper with them
• Secure Attestation: You can validate the identity and integrity of your VM to guarantee that critical components remain untempered and secure throughout their lifecycle.
This level of security is achieved through a Trusted Execution Environment (TEE), ensuring true data confidentiality across decentralized infrastructure. Enable Confidential VM service easily when setting up your Aleph.im virtual machines for enhanced privacy and security.
Feature
Virtual Machines (VMs)
Confidential Virtual Machines (CVMs)
Data Security
Standard security, data may be exposed during processing
Hardware-based memory encryption ensures data confidentiality during processing
Encryption
Typically applied to data at rest or in transit
Encryption extends to data in use (while being processed in memory)
Isolation
Basic isolation through the hypervisor
Full isolation with encryption keys inaccessible to the hypervisor
Trusted Execution Environment (TEE)
Not available or optional depending on the platform
Utilizes a TEE to secure execution and ensure the integrity of sensitive operations
Attestation
Not generally available
Provides attestation to verify the VM's identity and integrity, ensuring it hasn’t been tampered with
Use Case
General-purpose workloads, less focus on sensitive data protection
High-security workloads requiring data confidentiality during execution
Threat Model
Focuses on protection from external attacks
Protects against internal and external threats, including privileged users or compromised hypervisors
Performance
Standard performance
Slight performance overhead due to encryption and TEE mechanisms
Availability
Widely available on most cloud platforms
More specialized, requires specific hardware support for confidential computing
Deployment Complexity
Straightforward deployment, often pre-configured in cloud platforms
Similar deployment process with added configuration for confidentiality features
The table highlights the key distinctions between standard virtual machines and confidential virtual machines, focusing on enhanced security features that make CVMs suitable for sensitive data processing.
This aids in protecting the confidentiality of your data even if a malicious VM finds a way into your VM’s memory, or a compromised hypervisor reaches into a guest VM.
The Confidential VM labeled as beta, only means that not all node operators are able to provide such technology.