AMD SEV is a set of hardware extensions integrated into AMD EPYC processors that provides memory encryption for virtualized environments. It assigns a unique encryption key to each VM, generated by a hardware Platform Security Processor (PSP), ensuring that data remains encrypted even if the hypervisor is compromised, effectively establishing a Trusted Execution Environment (TEE).
Glossary
AMD SEV

What is AMD SEV?
AMD Secure Encrypted Virtualization (SEV) is a hardware security feature that encrypts the memory of individual virtual machines with a unique key, isolating them from the hypervisor and other VMs to protect data in use.
The technology supports remote attestation, allowing a guest owner to cryptographically verify that the VM is running on genuine AMD hardware with the correct security policy before injecting secrets. Advanced iterations like SEV-ES encrypt CPU registers and SEV-SNP add memory integrity protection, preventing replay and data corruption attacks to create a robust Confidential Virtual Machine.
Key Features of AMD SEV
AMD Secure Encrypted Virtualization (SEV) provides a foundational set of hardware features that protect data in use by encrypting virtual machine memory with unique, hardware-generated keys, isolating VMs from the hypervisor and other privileged software.
Hardware-Based Memory Encryption
AMD SEV integrates a dedicated AES-128 encryption engine directly into the on-die memory controller. This engine transparently encrypts and decrypts data as it moves between the DRAM and the processor. Each VM is assigned a unique VM Encryption Key (VEK) , generated from a fused hardware root key, ensuring that data belonging to one VM is cryptographically isolated from the hypervisor, host OS, and other VMs on the same physical socket.
SEV-ES: Encrypted State
SEV-Encrypted State (SEV-ES) adds protection for the VM's CPU register state during context switches. Without SEV-ES, register contents are exposed to the hypervisor when a VM exits (e.g., due to an interrupt). SEV-ES encrypts these registers and saves them to a protected memory area, preventing the hypervisor from inspecting or modifying the VM's execution state. This mitigates active attacks like control-flow hijacking via register manipulation.
Remote Attestation
A critical feature of SEV-SNP that allows a relying party (e.g., a data owner or a client) to verify that a VM is running genuine, untampered software on authentic AMD hardware. The AMD-SP generates a signed attestation report containing a cryptographic hash of the VM's initial memory state and the platform's identity. This report is rooted in a chain of trust that traces back to a fused AMD root key, enabling a zero-trust deployment model where workloads can be verified before secrets are provisioned.
Live Migration with SEV
AMD SEV supports the secure live migration of encrypted VMs between physical hosts. During migration, the VM's encryption key is securely transmitted from the source AMD-SP to the destination AMD-SP using a transport encryption key. The destination platform must be verified as a genuine AMD system. This ensures that the VM's memory remains encrypted throughout the entire migration process, maintaining the confidentiality and integrity of the workload without downtime.
AMD SEV vs. Intel SGX
A technical comparison of the two dominant hardware-based Trusted Execution Environment architectures for protecting data in use within cloud and enterprise environments.
| Feature | AMD SEV | Intel SGX | AWS Nitro Enclaves |
|---|---|---|---|
Protection Scope | Entire VM | Application-level enclave | Isolated compute environment |
Memory Encryption Engine | AES-128 integrated on-die | Memory Encryption Engine (MEE) | Dedicated hardware card |
Hypervisor Trust Model | Untrusted hypervisor excluded from TCB | Untrusted OS/hypervisor excluded | Dedicated Nitro hypervisor |
Attestation Mechanism | AMD Secure Processor + PSP | SGX Remote Attestation (EPID/DCAP) | Nitro Security Chip + KMS |
Maximum Protected Memory | Up to full host RAM | 128 MB (EPC) per enclave | Up to full instance memory |
Performance Overhead | 0.3-2% typical | 5-15% for EPC paging | < 1% typical |
Side-Channel Mitigation | Hardware AES engine, no timing leaks | Vulnerable to L1TF, Spectre variants | No shared hypervisor resources |
Application Modification Required |
Frequently Asked Questions
Clear, technical answers to the most common questions about AMD Secure Encrypted Virtualization, its operational mechanisms, and its role in confidential computing architectures.
AMD Secure Encrypted Virtualization (SEV) is a hardware-based memory encryption feature integrated into AMD EPYC processors that isolates a virtual machine (VM) from the hypervisor by encrypting its memory with a unique, hardware-generated key. It works by integrating an AES-128 encryption engine directly into the on-die memory controller. When a VM is launched with SEV enabled, the AMD Secure Processor—a dedicated ARM Cortex-A5 microcontroller on the SoC—generates a unique VM Encryption Key (VEK). All data pages belonging to that VM are transparently encrypted with this VEK as they are written to DRAM and decrypted when read back into the CPU cache. The hypervisor, which operates at a higher privilege level, can only see the ciphertext, effectively protecting data-in-use from a compromised or malicious host. This creates a Trusted Execution Environment (TEE) where the guest VM's confidentiality is maintained even if the cloud provider's infrastructure is breached.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts that form the foundation of hardware-enforced data-in-use protection, essential for understanding AMD SEV's role in the broader confidential computing landscape.
Confidential Computing
A hardware-based security paradigm that protects data in use by performing computation within a hardware-enforced Trusted Execution Environment (TEE). Unlike encryption for data-at-rest or data-in-transit, confidential computing isolates workloads from the host OS, hypervisor, and cloud provider administrators.
- Eliminates the cloud provider from the trust boundary
- Protects sensitive workloads even on compromised infrastructure
- Foundational for Confidential AI and multi-party data collaboration
Trusted Execution Environment (TEE)
A secure area within a main processor that guarantees the confidentiality and integrity of code and data loaded inside it. A TEE provides hardware-enforced isolation, meaning even a compromised operating system or hypervisor cannot access its contents.
- AMD SEV implements TEEs at the virtual machine level
- Intel SGX implements TEEs at the application enclave level
- Protects against privileged user attacks and physical memory snooping
Attestation
The process by which a TEE generates a cryptographically signed report proving its identity, integrity, and that it is running specific code on genuine hardware. This allows a remote party to verify the environment before sending secrets.
- Remote attestation establishes a hardware-rooted chain of trust
- AMD SEV uses the AMD Secure Processor to sign attestation reports
- Essential for secure provisioning and zero-trust architectures
Memory Encryption
A hardware mechanism that transparently encrypts and decrypts data as it moves between the processor and main memory (DRAM). AMD SEV uses a dedicated AES-128 encryption engine embedded in the memory controller.
- Each VM receives a unique encryption key
- Prevents cold boot attacks and DRAM probing
- Operates at near-native speed with minimal performance overhead
Confidential Virtual Machine
A virtual machine instance whose entire memory space is encrypted with a hardware-generated key inaccessible to the hypervisor. AMD SEV-SNP extends this with integrity protection to prevent replay and data corruption attacks.
- Supported on AMD EPYC processors (Naples, Rome, Milan, Genoa)
- Available on major clouds: AWS, Azure, Google Cloud
- Enables lift-and-shift of existing workloads into confidential environments
Side-Channel Attack
A security exploit that infers sensitive information by observing physical side effects of computation—timing, power consumption, cache access patterns, or electromagnetic emissions—rather than breaking the algorithm directly.
- TEEs must defend against cache-timing attacks and page-fault attacks
- AMD SEV-SNP adds reverse map table protection
- Ongoing research area for all confidential computing platforms

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us