What can I download if I using a CVM, e.g. SNP-CVM ?

Joey 125 Reputation points
2024-09-12T03:34:57.95+00:00

Hi~

I am interested in using a series of CVM products in Azure. If I am not mistaken, I can download the VM image and disk image when using a normal VM product.

I have read some articles about Azure CVM, and I have some experience launching an SNP on my personal laptop. My question is, when using a CVM in Azure, what assets can I download/access from Azure?

Specifically, here are some of my queries:

  1. Can I download a CVM image? Does this VM image include the initramfs, kernel, and rootfs installed? Or these components are taken part?
  2. If I enable encryption OS disk, can I obtain the disk keys from my Azure Key Vault, and use the keys for using enc OS disk in my local environment?
  3. Are there any other assets related to CVM that support downloading, such as UEFI/OVMF, vTPM file?

Thank you for the assistance.

Sincerely,

Joey

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,994 questions
Accepted answer
  1. Lijitha B 495 Reputation points Microsoft Vendor
    2024-09-12T09:20:41.3833333+00:00

    Hi Joey,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    Just checking into see your queries please follow the below :

    When using a Confidential Virtual Machine in Azure, you cannot directly download the full VM image, which includes components like initramfs, kernel, and rootfs. These components are securely managed within Azure's trusted execution environment to ensure the VM’s confidentiality and integrity. Therefore, exporting a complete image as you would with a non-CVM is not supported. Azure confidential VMs overview

    If you enable OS disk encryption, the encryption keys are stored in your Azure Key Vault. While you can access these keys, decryption is designed to occur only within Azure’s ecosystem for heightened security. Azure does not support decrypting and running the encrypted OS disk outside of its environment due to security concerns. Confidential OS disk encryption

    Currently, there is no method to download additional assets such as UEFI/OVMF firmware or vTPM files from Azure. These components are crucial to the security model of CVMs and are tightly controlled within the Azure environment to maintain their confidentiality and integrity.

    Confidential VMs are not available in all locations. For detailed information please go through the followed links:

    Create confidential VM on in the Azure portal
    Azure confidential virtual machines FAQ

    If you have any further queries, do let us know.

    If the answer is helpful, please click "Accept Answer" and "Upvote it."

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.