Confidential Computing Requirements

This page outlines the requirements for creating and deploying confidential virtual machines on Aleph Cloud.

System Requirements

Creating a confidential virtual machine currently requires the creation of an encrypted disk on a machine you trust. Your system must meet the following requirements:

• Operating System: Linux on x86_64 architecture (64-bit CPU, most recent PCs but not Mac)
• Network: IPv6 connectivity
• CPU: AMD CPU with SEV (Secure Encrypted Virtualization) support for production use

The documentation below assumes a Linux system based on Debian or Ubuntu, but the procedure can be adjusted to other distributions.

Note

This requirement will be lifted in the future with confidential virtual machines that encrypt the filesystem themselves.

Required Software

To create and deploy confidential virtual machines, you'll need the following software:

1. aleph-client

The aleph-client command-line tool is used to interact with the Aleph Cloud network. Install it using:

pip install aleph-client

For detailed installation instructions, see the aleph-client documentation.

2. sevctl

The sevctl tool from AMD is used to manage SEV encryption keys. To install it:

First, install Rust and Cargo:

curl https://sh.rustup.rs -sSf | sh

Some packages may need to be installed on some systems (e.g., Ubuntu) to build sevctl:

apt install -y pkg-config libssl-dev asciidoctor

Then install sevctl using Cargo:

cargo install sevctl
set --export PATH ~/.cargo/bin:$PATH

Windows Users

On Windows, we recommend using WSL and following the same steps above.

3. guestmount

This tool is used to create the encrypted disk. On Debian/Ubuntu-based systems, install it using:

apt install guestmount

Note: This installation may require up to 119 dependencies and 178 MB of additional disk space.

4. OpenSSH Keypair

You'll need an SSH keypair to securely access your confidential VM. If you don't already have one, create it using:

ssh-keygen -t ed25519 -C "your_email@example.com"

5. IPFS Server

The encrypted filesystem you will create is close to 4 GB. To copy it to the Aleph Cloud decentralized network, you first need to make it available on IPFS.

Install IPFS (Kubo implementation) by following the official installation guide.

Quick installation for Linux:

wget https://dist.ipfs.tech/kubo/v0.18.1/kubo_v0.18.1_linux-amd64.tar.gz
tar -xvzf kubo_v0.18.1_linux-amd64.tar.gz
cd kubo
sudo bash install.sh
ipfs init

6. Optional: Qemu

Qemu is useful for testing your VM locally before deploying it to Aleph Cloud. Install it using:

apt install qemu-system-x86

Hardware Requirements for Running Confidential VMs

If you're a node operator wanting to support confidential computing on your Compute Resource Node (CRN), you'll need:

• CPU: AMD EPYC processor with SEV support
• Firmware: Up-to-date BIOS with SEV enabled
• Memory: At least 64GB RAM (128GB recommended)
• Storage: Fast SSD storage (NVMe preferred)

Verifying SEV Support

To check if your system supports SEV, run:

sevctl show

If SEV is supported and enabled, you'll see output similar to:

Platform Version: 0x17
Owner: Not Present

If you get an error or "SEV is not enabled," you may need to enable it in your BIOS settings.

Next Steps

Once you have all the requirements in place, you can proceed to:

1. Creating an encrypted disk image
2. Deploying a confidential instance on Aleph Cloud

If you encounter any issues with the setup, refer to our troubleshooting guide.