Stay organized with collections Save and categorize content based on your preferences.
This document describes how to enable and disable the Shielded VM options on a VM instance. To see which images support Shielded VM features, see OS image security features.
OverviewOn a Shielded VM instance, Compute Engine enables the virtual Trusted Platform Module (vTPM) and integrity monitoring options by default. If you disable the vTPM, Compute Engine disables integrity monitoring because integrity monitoring relies on data gathered by Measured Boot.
Compute Engine does not enable Secure Boot by default because unsigned drivers and other low-level software might not be compatible. Secure Boot helps ensure that the system only runs authentic software by verifying the signature of all boot components and stopping the boot process if signature verification fails. This helps prevent forms of kernel malware, such as rootkits or bootkits from persisting across VM reboots. Google recommends enabling Secure Boot if you can ensure that it doesn't prevent a representative test VM from booting and if it is appropriate for your workload.
LimitationsEven though Compute Engine VM instances support Secure Boot, an image loaded on a Compute Engine VM might not. Notably, although most Linux distributions support Secure Boot on recent x86 images, it isn't always supported by default on ARM64. Many Linux images are configured to refuse to load unsigned builds of out-of-tree kernel modules when Secure Boot is enabled. This most commonly affects GPU drivers, but also sometimes affects security monitoring tools that require kernel modules.
Permissions required for this taskTo perform this task, you must have the following permissions:
compute.instances.updateShieldedInstanceConfig on the VM instanceUse the following procedure to modify Shielded VM options:
ConsoleIn the Google Cloud console, go to the VM instances page.
Click the instance name to open the VM instance details page.
Click stop Stop to stop the VM. If there is no Stop option, click more_vert More actions > stop Stop.
After the instance stops, click Edit.
In the Shielded VM section, modify the Shielded VM options:
Toggle Turn on Secure Boot to enable Secure Boot. Compute Engine does not enable Secure Boot by default because unsigned drivers and other low-level software might not be compatible. If possible, Google recommends enabling Secure Boot.
Toggle Turn on vTPM to disable the virtual trusted platform module (vTPM). By default, Compute Engine enables the Virtual Trusted Platform Module (vTPM).
Toggle Turn on Integrity Monitoring to disable integrity monitoring. By default, Compute Engine enables integrity monitoring.
Click Save.
Click Start to start the instance.
Stop the instance:
gcloud compute instances stop VM_NAME
Replace VM_NAME with the name of the VM to stop.
Update the Shielded VM options:
gcloud compute instances update VM_NAME \
[--[no-]shielded-secure-boot] \
[--[no-]shielded-vtpm] \
[--[no-]shielded-integrity-monitoring]
Replace VM_NAME with the name of the VM on which to update the Shielded VM options.
shielded-secure-boot: Compute Engine does not enable Secure Boot by default because unsigned drivers and other low-level software might not be compatible. If possible, Google recommends enabling Secure Boot.
--shielded-secure-boot flag (recommended).--no-shielded-secure-boot.shielded-vtpm: the virtual trusted platform module (vTPM) is enabled by default. + Enable by using --shielded-vtpm (default) + Disable by using the --no-shielded-vtpm flag
shielded-integrity-monitoring: integrity monitoring is enabled by default. + Enable by using --shielded-integrity-monitoring (default) + Disable by using the --no-shielded-integrity-monitoring flag.
Start the instance:
gcloud compute instances start VM_NAME
Replace VM_NAME with the name of the VM to start.
Stop the instance:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/stop
Replace the following:
PROJECT_ID: project containing the VM to stopZONE: zone containing the VM to stopVM_NAME: the VM to stopUse instances.updateShieldedInstanceConfig to enable or disable Shielded VM options on the instance:
PATCH https://compute.googleapis.com/compute/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/updateShieldedInstanceConfig
{
"enableSecureBoot": {true|false},
"enableVtpm": {true|false},
"enableIntegrityMonitoring": {true|false}
}
Replace the following:
PROJECT_ID: the project containing the VM to enable or disable Shielded VM options on.ZONE: the zone containing the VM to enable or disable Shielded VM options on.VM_NAME: the VM to enable or disable Shielded VM options on.enableSecureBoot: Compute Engine does not enable Secure Boot by default because unsigned drivers and other low-level software might not be compatible. If possible, Google recommends enabling Secure Boot.
enableVtpm: Compute Engine enables the Virtual Trusted Platform Module (vTPM) by default.
enableIntegrityMonitoring: Compute Engine enables integrity monitoring by default.
Start the instance:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/ZONE/instances/VM_NAME/start
Replace the following:
PROJECT_ID: project containing the VM to startZONE: zone containing the VM to startVM_NAME: VM to startExcept as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["Shielded VM instances have vTPM and integrity monitoring enabled by default, while Secure Boot is not enabled due to potential compatibility issues with unsigned drivers."],["Disabling the vTPM will also disable integrity monitoring, as integrity monitoring relies on data from Measured Boot, which is associated with vTPM."],["Secure Boot helps ensure that only authentic software runs by verifying the signatures of all boot components, thus preventing kernel malware."],["To modify Shielded VM options, the VM instance must be stopped, the options can then be toggled on the VM instance details page, by using gcloud, or by using API, after which the instance must be restarted."],["Permissions are required to update these options, requiring `compute.instances.updateShieldedInstanceConfig` permissions on the VM instance."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4