Confidential Space images

A Confidential Space image is a minimal, single-purpose OS that's run on a Confidential VM instance. It's designed to run a single workload only once, without persistent storage. That workload is layered on top of the Confidential Space image using Docker .

Confidential Space images are built on the existing security enhancements of Container-Optimized OS and add the following benefits:

• Encrypted disk partitions with integrity protection

• Authenticated, encrypted network connections

• Various boot measurements

• Disabled remote access and cloud-specific tooling

Types of images

Confidential Space images are available in two variants:

• Production: The production image is used for running real production workloads with real production data. It is locked down to prevent the workload operator from accessing the processed data. For more information, see Confidential Space security overview .

• Debug: The debug image is used for testing your workload on non-production data. SSH is enabled on the debug image, and the operator has root access to the VM that runs the workload. The VM running the debug image doesn't stop after the workload is complete.

You can set which image type to use when you deploy the workload .

Confidential Space image lifecycle

When you create a Confidential VM using a Confidential Space image, the latest version of the image is used. If you always delete your Confidential VM when your workload is done and create a new one each time you run the workload, then you can be sure the image is up to date.

However, long-running workloads or running a workload on a VM created in the past opens you up to the risk of using an outdated Confidential Space image, which might introduce security vulnerabilities.

To mitigate this, a data collaborator can use support attributes to check if a production Confidential Space image version running on a VM is recent, and deny it access to their data if it doesn't pass.

There are three support attributes:

• LATEST : This is the latest version of the image, and is supported and monitored for vulnerabilities. The LATEST image is also STABLE and USABLE .

• STABLE : This version of the image is supported and monitored for vulnerabilities. A STABLE image is also USABLE .

• USABLE : An image with only this attribute is out of support. Use it at your own risk.

Image versions

You can view the latest Confidential Space images with the following gcloud command:

 gcloud  
compute  
images  
list  
 \ 
  
--project = 
confidential-space-images  
 \ 
  
--no-standard-images 

The following flags can change the returned images in the results:

• Add the --show-deprecated flag to show older images.

• Add --filter="family~'confidential-space$'" flag to show production images.

• Add --filter="family~'confidential-space-debug$'" flag to show debug images.

The following tables detail the available Confidential Space image versions and their support attributes.

Production images

The following table contains Confidential Space image production versions.

Debug images

The following table contains Confidential Space image debug versions.