GCP – From clicks to clusters: Expanding Confidential Computing with Intel TDX

Privacy-protecting Confidential Computing has come a long way since we introduced Confidential Virtual Machines (VMs) five years ago. The technology, which can protect data while in use, strengthens a security gap beyond data encryption at rest and in transit. 

Since then, customers have used Confidential Computing to protect patient medical data, comply with privacy guidance of GDPR and Schrems II for U.S.-Europe data transfers, and run high-performance computing (HPC) workloads securely. 

By isolating workloads in hardware-based Trusted Execution Environments (TEEs), Confidential Computing empowers customers to process their most sensitive information in the public cloud with assurance. 

As part of the advancements we’ve made with Confidential Computing, we added even more security capabilities with the introduction of Confidential VMs with Intel Trust Domain Extensions (TDX) last year. Intel TDX creates an isolated trust domain (TD) in a VM, uses hardware extensions for managing and encrypting memory to protect cloud workloads, and offers hardware-based remote attestation for verification. 

Today, we are excited to highlight our greatly expanded, and generally available, Intel TDX-based offerings, which includes Confidential GKE Nodes, Confidential Space, Confidential GPU, and more regions and zones where customers can use Confidential Computing.

Click to create a Confidential VM

Google Cloud Console now offers Google Compute Engine (GCE) customers a new interface for Intel TDX — no code changes required. To get started, follow these steps:

1. Start at the GCE Create an instance page

2. Go to the Security tab and under Confidential VM service, click Enable

3. Then select Intel TDX from the dropdown menu and click Confirm. 

It’s that simple to create a Confidential VM.

Get Confidential Computing in more regions and zones

Confidential VMs with Intel TDX were first available with support for three regions (and nine zones.) To accommodate growing demand, we’ve expanded support for Intel TDX on the C3 machine series to 10 regions (and 21 zones,) and we are planning more for the future. The full list is available here. As regional availability and scalability are critical, your account team is available to help you plan early to ensure your capacity needs are met. 

Confidential GKE Nodes with Intel TDX, now generally available

Confidential GKE Nodes are built on top of Confidential VM and deliver hardware-based protections to your Google Kubernetes Engine (GKE) clusters and node pools to ensure that your containerized workloads remain encrypted in memory. Today, Confidential GKE Nodes are generally available with Intel TDX on GKE Standard and GKE Autopilot. 

Confidential GKE Nodes with Intel TDX on the C3 machine series can be created on GKE Standard via CLI, API, UI, and Terraform. The confidential setting can be set at the cluster level or the node pool level with no code changes. You can learn more here.

Confidential GKE Nodes with Intel TDX on the C3 machine series can also be created on GKE Autopilot. It can be enabled through the use of custom compute classes. In GKE, a compute class is a profile that consists of a set of node attributes that GKE uses to provision the nodes that run your workloads during autoscaling events. Check out our documentation to get started.

Confidential Space with Intel TDX, now generally available

Also built on Confidential VM, our Confidential Space offering is a robust solution for many common issues including addressing insider threats, enabling joint machine-learning training and private gen AI inference, and fostering multi-party collaboration on sensitive data. Here are just a few examples of what our customers have built with Confidential Space:

• Confidential matching enabled customers to securely connect their first-party data for Google Ads measurement and audience solutions.

• Symphony demonstrated with its Confidential Cloud how SaaS companies can guarantee isolation of customer data from privileged insiders in the highly regulated financial industry.

• Duality delivered privacy-preserving federated learning solutions for a broad range of use cases in healthcare, financial services, and the public sector.

• Flare spearheaded innovation in verifiable AI on blockchain.

Previously, Confidential Space was only available with AMD-based technology and hardware (on the N2D, C2D, C3D, and C4D machine series), but now it is also available with Intel-based technology and hardware. This is ideal for those wanting attestation guarantees with a hardware root of trust and for those focused on Intel’s C3 machine series. 

Additionally, Confidential Space with Intel TDX is measured into runtime measurement registers (RTMR) and the measurements are verified by Google Cloud Attestation. Note that for Confidential VMs with Intel TDX, RTMRs are now populated as well. Confidential Space benefits are highlighted in the NCC Group’s latest independent security evaluation. 

Confidential VM and Confidential GKE Nodes with NVIDIA H100 GPUs, now generally available

If you’re looking for performance and security while protecting data in use, Confidential VM and Confidential GKE Nodes with NVIDIA H100 GPUs on the accelerator-optimized A3 machine series are now generally available. These offerings deliver Google Cloud’s first Confidential GPUs, focus on ease of use to meet the demand for secure computing, and extend security to data-intensive, AI and ML workloads by having Intel TDX enabled on the CPU and NVIDIA Confidential Computing enabled on the GPU. You now have the ability to secure your data performantly during inference and training across models.

Confidential VM with NVIDIA H100 GPUs is available with the a3-highgpu-1g machine type and in three zones: europe-west4-c, us-central1-a, and us-east5-a. No code changes are needed for most AI and ML workloads. For pricing details, see here. Confidential GKE Nodes with NVIDIA H100 GPUs are generally available on both GKE Standard and GKE Autopilot (through custom compute class). To get started, click here. 

And, we also have Confidential Space with NVIDIA H100 GPUs in preview.

Intel has a free tier for independent attestation

Intel’s attestation verifier service, Intel Tiber Trust Authority, now has a free tier. Google Cloud Confidential VMs and Confidential Space are both integrated with Intel Tiber Trust Authority as a third party attestation service, but now Intel Tiber Trust Authority is making secure attestation more accessible for all by offering a free tier (with optional paid support). 

When Confidential VM and Confidential Space customers use Intel Tiber Trust Authority, they can gain stronger separation of duties security guarantees. Click here to learn more. 

What our customers say

“Thanks to the joint efforts of Super Protocol, Google Cloud, and NVIDIA, the world now gains a new layer of possibility — unlocking Confidential AI without cloud borders. With A3 Confidential VMs built on NVIDIA H100 GPUs now integrated into Super’s decentralized infrastructure and marketplace, companies can securely run, monetize, and collaborate on sensitive AI and data — across any environment. This enables seamless collaboration between Google Cloud customers and partners in other clouds — with no need for shared trust, manual agreements, or compromise. For the broader market, A3 instances at scale accelerate global access, while Super ensures confidentiality, verifiability, and self-sovereignty — fully automated and requiring no expertise in confidential computing. We are excited to open this next chapter of Confidential AI, built to work wherever you and your partners are,” said Nukri Basharuli, founder and CEO, Super Protocol.

“We’re proud to have partnered with Google Cloud to validate their Confidential Computing-enabled GPU solution — a major step forward in securing sensitive data for AI and machine learning workloads, without compromising on performance or scalability. Confidential Computing allows organizations to process sensitive workloads in the cloud while protecting sensitive data and models from both the cloud provider and the organization’s insiders and internal threats. However, for gen AI and agentic AI use cases, protecting the CPU alone isn’t enough — both CPU and GPU must also run in confidential mode with mutual trust. With Google Cloud’s new offering, Anjuna can now launch Confidential Containers that leverage Intel TDX and NVIDIA H100 GPUs in confidential mode. This ensures that data, configurations, secrets, and code remain protected end-to-end from any untrusted entity, bringing state-of-the-art security for sensitive data.” said Steve Van Lare, CTO, Anjuna Security.

“With data processing worldwide growing up to three times faster than ever before and doubling every six months, the future of cloud computing must be built on trust. In collaboration with Google, Modelyo leverages Confidential VMs on the A3 machine series with NVIDIA H100 GPUs, transforming Confidential Computing into a seamless, intuitive, and fully integrated cloud experience. This enables us to deliver end-to-end managed solutions across interconnected environments, empowering organizations to innovate confidently knowing their data remains effortlessly protected at every stage.” said Benny Meir, CEO, Modelyo.

How to get started with Confidential Computing

To add that extra layer of protection and privacy to your sensitive workloads, check out our documentation for Confidential VMs and Confidential GKE Nodes today.