Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Confidential Computing

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: OCI-Compute-010

Ensure that the Confidential Computing feature is enabled for your Oracle Cloud Infrastructure (OCI) compute instances to protect your data in use from the cloud operator, hardware attacks, and other malicious actors by using hardware-based memory encryption and isolated execution environments.

Security

Enabling Confidential Computing is essential for OCI compute instances to protect sensitive data while it's actively being processed in memory, isolating it within a hardware-based Trusted Execution Environment (TEE) from the hypervisor, privileged administrators, and other malicious threats. This enhanced security posture effectively eliminates the last major cloud security vulnerability—unencrypted data in use—and helps organizations meet stringent regulatory compliance requirements like HIPAA and GDPR.

Audit

To determine if the Confidential Computing feature is enabled for your OCI compute instances, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to examine, listed in the Name column.

06 Select the Details tab and check the Confidential computing attribute value, listed under Launch options. If Confidential computing is set to Disabled, the Confidential Computing security feature is not enabled for the selected Oracle Cloud Infrastructure (OCI) compute instance.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run compute instance list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each compute instance available in the selected OCI compartment: 

oci compute instance list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--region 'ap-sydney-1'
	--all
	--query 'data[]."id"'

04 The command output should return the requested compute instance IDs: 

[
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

05 Run compute instance get command (Windows/macOS/Linux) with the ID of the OCI compute instance that you want to examine as the identifier parameter and custom output filters to determine the operational state of the Confidential Computing feature for the selected instance: 

oci compute instance get
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.{"is-memory-encryption-enabled":"platform-config"."is-memory-encryption-enabled"}'

06 The command output should return the feature state: 

{
	"is-memory-encryption-enabled": null
}

Check the value of the "is-memory-encryption-enabled" property to determine the operational state of the feature. If "is-memory-encryption-enabled" is set to null, as shown in the output example above, the Confidential Computing security feature is not enabled for the selected Oracle Cloud Infrastructure (OCI) compute instance.

Remediation / Resolution

To enable Confidential Computing for your Oracle Cloud Infrastructure (OCI) compute instances, you must re-create your instances by performing the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to re-create and collect all the relevant configuration information.

06 After the configuration information is successfully collected, choose Actions from the instance top menu, select More actions, and choose Create custom image. Provide a unique name for your custom image in the Name box, then choose Create custom image to create the image.

07 Once the new image is ready, use it to relaunch your OCI compute instance with Confidential Computing. In the left navigation panel, under Overview, select Instances, choose Create instance, and perform the following actions to launch a new compute instance:

  1. For Basic information, provide the following information:
    1. For Name, provide a unique name for the new instance.
    2. For Create in compartment, select the appropriate OCI compartment.
    3. For Placement, ensure that the required Availability domain is selected. Choose Advanced options and select the correct Capacity type for the new instance (must match the capacity type of the source instance).
    4. For Image and shape, perform the following operations:
      1. Choose Change image under Image, select My images, choose Custom images, select the custom OS image created in step no. 6, and choose Select image.
      2. Choose Change shape under Shape, select the correct instance shape/instance type (must match the shape of the source instance), and choose Select shape.
      3. Choose Advanced options and configure the management, availability, and Oracle Cloud Agent settings for the new instance (must match the configuration of the source instance).
    5. Choose Next to continue the setup.
  2. For Security, switch on the Confidential computing button to enable the Confidential Computing security feature for the new compute instance. Choose Next to continue the setup process.
  3. For Networking, provide the following information:
    1. For VNIC name, provide a name for the new Virtual Network Interface Card (VNIC).
    2. For Primary network, choose Select existing virtual cloud network, and select an existing Virtual Cloud Network (must match the network configuration of the source instance).
    3. For Subnet, choose Select existing subnet, and select an existing VCN subnet (must match the network configuration of the source instance).
    4. For Private IPv4 address assignment, choose Automatically assign private IPv4 address to assign a private IPv4 address for your instance.
    5. Switch off the Automatically assign public IPv4 address button under Public IPv4 address assignment to launch your new OCI compute instance without a public IP address.
    6. Choose Advanced options and configure the advanced network and DNS settings for the new instance (must match the network configuration of the source instance).
    7. For Add SSH keys, choose whether to generate a new SSH key pair or upload a public key that you already have.
    8. Choose Next to continue the setup.
  4. For Storage, provide the following information:
    1. For Boot volume, specify the boot volume size and configure encryption in transit and encryption of data at rest.
    2. For Block volumes, choose whether to add one or more block volumes to your instance (must match the source instance disk configuration).
    3. Choose Next to continue.
  5. For Review, review the instance configuration information, then choose Create to launch your new Oracle Cloud Infrastructure (OCI) compute instance.

Using OCI CLI

01 Run compute instance get command (Windows/macOS/Linux) with the ID of the compute instance that you want to re-create as the identifier parameter, to describe the configuration information available for the selected instance: 

oci compute instance get
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data'

02 The command output should return the requested configuration information: 

{
	"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"display-name": "cc-project5-compute-instance",
	"extended-metadata": {},
	"fault-domain": "FAULT-DOMAIN-3",
	"freeform-tags": {},
	"id": "ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"image-id": "ocid1.image.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"instance-options": {
		"are-legacy-imds-endpoints-disabled": true
	},
	"launch-options": {
		"boot-volume-type": "PARAVIRTUALIZED",
		"firmware": "UEFI_64",
		"is-consistent-volume-naming-enabled": true,
		"is-pv-encryption-in-transit-enabled": false,
		"network-type": "PARAVIRTUALIZED",
		"remote-data-volume-type": "PARAVIRTUALIZED"
	},
	"licensing-configs": null,
	"lifecycle-state": "RUNNING",
	"metadata": {},
	"placement-constraint-details": null,
	"platform-config": {
		"is-measured-boot-enabled": false,
		"is-memory-encryption-enabled": false,
		"is-secure-boot-enabled": false,
		"is-symmetric-multi-threading-enabled": false,
		"is-trusted-platform-module-enabled": false,
		"type": "AMD_VM"
	},

	...

	"preemptible-instance-config": null,
	"region": "ap-sydney-1",
	"security-attributes": {},
	"security-attributes-state": "STABLE",
	"shape": "VM.Standard.E4.Flex",
	"shape-config": {
		"baseline-ocpu-utilization": null,
		"gpu-description": null,
		"gpus": 0,
		"local-disk-description": null,
		"local-disks": 0,
		"local-disks-total-size-in-gbs": null,
		"max-vnic-attachments": 2,
		"memory-in-gbs": 16.0,
		"networking-bandwidth-in-gbps": 1.0,
		"ocpus": 1.0,
		"vcpus": 2
	},
	"source-details": {
		"boot-volume-size-in-gbs": null,
		"boot-volume-vpus-per-gb": null,
		"image-id": "ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"instance-source-image-filter-details": null,
		"kms-key-id": null,
		"source-type": "image"
	},
	"system-tags": {},
	"time-created": "2025-06-16T12:10:56.939000+00:00",
	"time-maintenance-reboot-due": null
}

03 Run compute image create command (Windows/macOS/Linux) to create an OS image from your source Oracle Cloud Infrastructure (OCI) compute instance: 

oci compute image create
	--display-name 'cc-project5-instance-image'
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.id'

04 The command output should return the ID of the new OS image: 

"ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"

05 Run compute instance launch command (Windows/macOS/Linux) to create a new Oracle Cloud Infrastructure (OCI) compute instance from the custom OS image provisioned in the previous steps. Include --platform-config '{"isMemoryEncryptionEnabled": true}' in the command request to launch your new compute instance with Confidential Computing: 

oci compute instance launch
	--display-name 'cc-new-project5-instance'
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--availability-domain 'ABCD:AP-SYDNEY-1-AD-1'
	--subnet-id 'ocid1.subnet.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--image-id 'ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--shape 'VM.Standard.E4.Flex'
	--shape-config '{"ocpus":1.0}'
	--assign-public-ip false
	--platform-config '{"isMemoryEncryptionEnabled": true}'
	--query 'data'

06 The command output should return the configuration information available for the new OCI compute instance: 

{
	"agent-config": {
		"are-all-plugins-disabled": false,
		"is-management-disabled": false,
		"is-monitoring-disabled": false,
		"plugins-config": null
	},
	"availability-config": {
		"is-live-migration-preferred": null,
		"recovery-action": "RESTORE_INSTANCE"
	},
	"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
	"capacity-reservation-id": null,
	"cluster-placement-group-id": null,
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"dedicated-vm-host-id": null,
	"display-name": "cc-new-project5-instance",
	"extended-metadata": {},
	"fault-domain": "FAULT-DOMAIN-3",
	"freeform-tags": {},
	"id": "ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
	"image-id": "ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"instance-configuration-id": null,
	"instance-options": {
		"are-legacy-imds-endpoints-disabled": true
	},
	"ipxe-script": null,
	"is-ai-enterprise-enabled": null,
	"is-cross-numa-node": false,
	"launch-mode": "PARAVIRTUALIZED",
	"launch-options": {
		"boot-volume-type": "PARAVIRTUALIZED",
		"firmware": "UEFI_64",
		"is-consistent-volume-naming-enabled": true,
		"is-pv-encryption-in-transit-enabled": false,
		"network-type": "PARAVIRTUALIZED",
		"remote-data-volume-type": "PARAVIRTUALIZED"
	},
	"licensing-configs": null,
	"lifecycle-state": "PROVISIONING",
	"metadata": {},
	"placement-constraint-details": null,
	"platform-config": {
		"is-measured-boot-enabled": false,
		"is-memory-encryption-enabled": true,
		"is-secure-boot-enabled": false,
		"is-symmetric-multi-threading-enabled": true,
		"is-trusted-platform-module-enabled": false,
		"type": "AMD_VM"
	},
	"preemptible-instance-config": null,
	"region": "ap-sydney-1",
	"security-attributes": {},
	"security-attributes-state": "STABLE",
	"shape": "VM.Standard.E4.Flex",
	"shape-config": {
		"baseline-ocpu-utilization": null,
		"gpu-description": null,
		"gpus": 0,
		"local-disk-description": null,
		"local-disks": 0,
		"local-disks-total-size-in-gbs": null,
		"max-vnic-attachments": 2,
		"memory-in-gbs": 16.0,
		"networking-bandwidth-in-gbps": 1.0,
		"ocpus": 1.0,
		"processor-description": "2.55 GHz AMD EPYC™ 7J13 (Milan)",
		"vcpus": 2
	},
	"source-details": {
		"boot-volume-size-in-gbs": null,
		"boot-volume-vpus-per-gb": null,
		"image-id": "ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"instance-source-image-filter-details": null,
		"kms-key-id": null,
		"source-type": "image"
	},
	"system-tags": {},
	"time-created": "2025-10-14T20:37:29.527000+00:00",
	"time-maintenance-reboot-due": null
}

References

Publication date Dec 8, 2025

Related OCI-Compute rules