Security-enhanced instance families provide the trusted computing capability based on Trusted Cryptography Module (TCM) or Trusted Platform Module (TPM) chips. Some security-enhanced instance families including g7t, c7t, and r7t also provide the Software Guard Extension (SGX) encrypted computing capability based on Intel® SGX for a trusted confidential environment that offers a higher degree of security.

Trusted computing

Security-enhanced instance families integrate TPM or TCM into the hardware platform, use TPM or TCM chips as Root of Trust (RoT), and use the Unified Extensible Firmware Interface (UEFI) firmware, vTPM or vTCM, and remote attestation service to implement instance startup measurement and integrity verification. These ensure that security-enhanced instances are secure and trusted.

For information about the features of the trusted computing capability and how to work with the trusted computing capability, see the following topics:

SGX encrypted computing

When you use RoT that is based on software and the software has security vulnerabilities, the data security cannot be guaranteed. RoT of SGX contains only hardware to improve the security level. In addition to instance startup measurement and integrity verification, some security-enhanced instance families including g7t, c7t, and r7t transfer the confidential computing capability of physical servers to instances based on Intel® SGX. vSGX instances are assigned encrypted memory.
Note If you have stricter security and compliance requirements and do not want to share the physical resources of cloud hosts with other tenants, you can purchase dedicated hosts whose physical resources are reserved for the exclusive use of a single tenant to enhance security. For more information, see What is DDH?

SGX uses Memory Encryption Engines (MEEs) in CPUs to encrypt data in the encrypted memory. Encrypted data is decrypted into plaintext only after the data enters CPUs. CPUs protect your private data from being extracted by malicious code. Therefore, when you use a vSGX instance, data remains protected even if the operating system, virtualization stack, or BIOS becomes compromised. You need only to trust CPUs to keep your private data secure. For information about how to use SGX, see Build an SGX encrypted computing environment.

Support of secure computing capabilities of instance families

Instance family Trusted computing SGX encrypted computing
Supported Supported
Supported Not supported