Your submission was sent successfully! Close

Jump to main content

Let’s get confidential! Canonical Ubuntu Confidential VMs are now generally available on Microsoft Azure

On behalf of all Canonical teams, I am happy to announce the general availability of Ubuntu Confidential VMs (CVMs) on Microsoft Azure! They  are part of the Microsoft Azure DCasv5/ECasv5 series, and only take a few clicks to enable and use. Ubuntu 20.04 is the first and only Linux distribution to support Confidential VMs on Azure.

What are Ubuntu CVMs?

Ubuntu CVMs use the latest security extensions of the third generation of AMD CPUs, Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). As such, they bring about a fundamental shift in the traditional threat model of public clouds. Traditionally,  any vulnerability within the millions of lines of code in the cloud’s privileged system software (OS, hypervisor, firmware) would systematically compromise the confidentiality and integrity of your running code and data. The same could be said for any undue access to your VM and/or its platform by a malicious cloud administrator. 

Ubuntu CVMs are here to give you back control over the security guarantees of your VMs. They do this by allowing you to run your workload within a logically isolated hardware-rooted execution environment.  Your trusted computing base is dramatically reduced to your application and the platform’s underlying hardware CPU, and nothing else. In other words, a compromised host OS or an angry cloud administrator can no longer access your data nor alter your code’s execution. 

How do Ubuntu confidential VMs work?

Ubuntu CVMs achieve such strong security guarantees by securing your VMs throughout their entire lifecycle:

1.At run-time
Using AMD SEV-SNP, your VM’s code and data are encrypted when they are being operated on in the system memory. The encryption leverages the newest AES-128 hardware encryption engine embedded in the CPU’s memory controller. The encryption key is further protected and managed by the AMD Secure Processor.

2. At rest
Your entire workload is encrypted using Ubuntu-enhanced full disk encryption capabilities. The encryption key is itself stored encrypted in your VM’s virtual disk. It’s then  bound to the virtual TPM (vTPM) associated with your instance. Finally, the vTPM is itself part of the guest VM address space, and enjoys the same run-time security guarantees provided by the AMD SEV-SNP extensions to the entire VM instance.

3. At boot time
Before booting the VM, the platform provides a hardware-rooted signed attestation which can be used to verify the OS, firmware and platform boot measurements.

Part of Canonical’s security commitment

With Ubuntu CVMs, Canonical continues its strong commitment to security. This is yet another reason for which developers, end-users and enterprises across the world continue to choose Ubuntu on all major public clouds. With Azure CVM, Ubuntu customers can continue using its extended security maintenance of 10 years,  certified and hardened images and kernel livepatch capabilities,  while enjoying the Ubuntu user experience they have come to love and expect.

Stay tuned for more news on confidential computing 

Azure Confidential VMs only mark the beginning of Ubuntu’s confidential computing capabilities across various public clouds and compute classes. We look forward to sharing more news about our expanding portfolio and learning about the novel ways you are leveraging confidential computing.  

More resources

Newsletter signup

Select topics you're
interested in

In submitting this form, I confirm that I have read and agree to Canonical's Privacy Notice and Privacy Policy.

Related posts

How we designed Ubuntu Pro for Confidential Computing on Azure

Not all data is destined to be public. Moving workloads that handle secret or private data from an on-premise setup to a public cloud introduces a new attack...

Confidential computing in public clouds: isolation and remote attestation explained

In the first part of this blog series, we discussed the run-time (in)security challenge, which can leave your code and data vulnerable to attacks by both the...

What is confidential computing? A high-level explanation for CISOs

Privacy enhancing technologies and confidential computing are two of my favorite topics to talk about! So much so that I am writing this blog post on a sunny...