Inferensys

Glossary

AMD SEV

A hardware feature embedded in AMD EPYC processors that encrypts the memory of a virtual machine with a unique key, isolating it from the hypervisor and other VMs to protect data in use.
Data engineer managing feature store on laptop, feature definitions visible, casual data engineering session.
HARDWARE MEMORY ENCRYPTION

What is AMD SEV?

AMD Secure Encrypted Virtualization (SEV) is a hardware security feature that encrypts the memory of individual virtual machines with a unique key, isolating them from the hypervisor and other VMs to protect data in use.

AMD SEV is a set of hardware extensions integrated into AMD EPYC processors that provides memory encryption for virtualized environments. It assigns a unique encryption key to each VM, generated by a hardware Platform Security Processor (PSP), ensuring that data remains encrypted even if the hypervisor is compromised, effectively establishing a Trusted Execution Environment (TEE).

The technology supports remote attestation, allowing a guest owner to cryptographically verify that the VM is running on genuine AMD hardware with the correct security policy before injecting secrets. Advanced iterations like SEV-ES encrypt CPU registers and SEV-SNP add memory integrity protection, preventing replay and data corruption attacks to create a robust Confidential Virtual Machine.

HARDWARE-ENFORCED MEMORY ENCRYPTION

Key Features of AMD SEV

AMD Secure Encrypted Virtualization (SEV) provides a foundational set of hardware features that protect data in use by encrypting virtual machine memory with unique, hardware-generated keys, isolating VMs from the hypervisor and other privileged software.

01

Hardware-Based Memory Encryption

AMD SEV integrates a dedicated AES-128 encryption engine directly into the on-die memory controller. This engine transparently encrypts and decrypts data as it moves between the DRAM and the processor. Each VM is assigned a unique VM Encryption Key (VEK) , generated from a fused hardware root key, ensuring that data belonging to one VM is cryptographically isolated from the hypervisor, host OS, and other VMs on the same physical socket.

AES-128
Encryption Standard
Per-VM
Key Isolation
03

SEV-ES: Encrypted State

SEV-Encrypted State (SEV-ES) adds protection for the VM's CPU register state during context switches. Without SEV-ES, register contents are exposed to the hypervisor when a VM exits (e.g., due to an interrupt). SEV-ES encrypts these registers and saves them to a protected memory area, preventing the hypervisor from inspecting or modifying the VM's execution state. This mitigates active attacks like control-flow hijacking via register manipulation.

Register-Level
Protection Granularity
05

Remote Attestation

A critical feature of SEV-SNP that allows a relying party (e.g., a data owner or a client) to verify that a VM is running genuine, untampered software on authentic AMD hardware. The AMD-SP generates a signed attestation report containing a cryptographic hash of the VM's initial memory state and the platform's identity. This report is rooted in a chain of trust that traces back to a fused AMD root key, enabling a zero-trust deployment model where workloads can be verified before secrets are provisioned.

Hardware-Rooted
Trust Anchor
06

Live Migration with SEV

AMD SEV supports the secure live migration of encrypted VMs between physical hosts. During migration, the VM's encryption key is securely transmitted from the source AMD-SP to the destination AMD-SP using a transport encryption key. The destination platform must be verified as a genuine AMD system. This ensures that the VM's memory remains encrypted throughout the entire migration process, maintaining the confidentiality and integrity of the workload without downtime.

CONFIDENTIAL COMPUTING COMPARISON

AMD SEV vs. Intel SGX

A technical comparison of the two dominant hardware-based Trusted Execution Environment architectures for protecting data in use within cloud and enterprise environments.

FeatureAMD SEVIntel SGXAWS Nitro Enclaves

Protection Scope

Entire VM

Application-level enclave

Isolated compute environment

Memory Encryption Engine

AES-128 integrated on-die

Memory Encryption Engine (MEE)

Dedicated hardware card

Hypervisor Trust Model

Untrusted hypervisor excluded from TCB

Untrusted OS/hypervisor excluded

Dedicated Nitro hypervisor

Attestation Mechanism

AMD Secure Processor + PSP

SGX Remote Attestation (EPID/DCAP)

Nitro Security Chip + KMS

Maximum Protected Memory

Up to full host RAM

128 MB (EPC) per enclave

Up to full instance memory

Performance Overhead

0.3-2% typical

5-15% for EPC paging

< 1% typical

Side-Channel Mitigation

Hardware AES engine, no timing leaks

Vulnerable to L1TF, Spectre variants

No shared hypervisor resources

Application Modification Required

AMD SEV EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about AMD Secure Encrypted Virtualization, its operational mechanisms, and its role in confidential computing architectures.

AMD Secure Encrypted Virtualization (SEV) is a hardware-based memory encryption feature integrated into AMD EPYC processors that isolates a virtual machine (VM) from the hypervisor by encrypting its memory with a unique, hardware-generated key. It works by integrating an AES-128 encryption engine directly into the on-die memory controller. When a VM is launched with SEV enabled, the AMD Secure Processor—a dedicated ARM Cortex-A5 microcontroller on the SoC—generates a unique VM Encryption Key (VEK). All data pages belonging to that VM are transparently encrypted with this VEK as they are written to DRAM and decrypted when read back into the CPU cache. The hypervisor, which operates at a higher privilege level, can only see the ciphertext, effectively protecting data-in-use from a compromised or malicious host. This creates a Trusted Execution Environment (TEE) where the guest VM's confidentiality is maintained even if the cloud provider's infrastructure is breached.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.