Shielded VM is a security feature designed to protect Google Compute Engine VM instances by ensuring their integrity against boot and kernel-level threats. It uses secure and measured boot capabilities along with a virtual Trusted Platform Module (vTPM) to verify the identity of VMs and protect against malicious modifications.

Key Features

• Secure Boot: Prevents malicious code from loading during the boot process.
• Measured Boot: Ensures the integrity of the bootloader, kernel, and boot drivers.
• vTPM (Virtual Trusted Platform Module): Provides a virtual root of trust to verify VM identity and securely store sensitive data.
• Trusted Firmware (UEFI Secure Boot): Based on UEFI 2.3.1, replacing legacy BIOS for enhanced security.
• Integrity Monitoring and Logging: Offers tamper-evident attestation claims in Cloud Logging and Cloud Monitoring to detect deviations from baseline conditions.
• Policy Control: Allows setting policies to enforce the use of Shielded VM disk images for new instances.

Benefits

• Enhanced Security: Protects against malicious project insiders, guest firmware threats, and kernel-level vulnerabilities.
• Confidence in VM Integrity: Provides assurance that VMs have not been compromised.
• Flexibility and Control: Offers granular control over security features and centralized management through organization policies.
• No Additional Cost: Available without extra charges for Google Cloud users.