Secure Encrypted Virtualization (SEV) is a hardware-based security technology integrated into AMD EPYC processors that encrypts the memory of each virtual machine using a unique encryption key managed by the AMD Secure Processor. This architectural isolation ensures that the hypervisor—even if compromised—cannot access the plaintext memory of a guest VM, protecting data in use from privileged insider threats and multi-tenant cloud attacks.
Glossary
Secure Encrypted Virtualization (SEV)

What is Secure Encrypted Virtualization (SEV)?
Secure Encrypted Virtualization is an AMD hardware feature that encrypts the memory of individual virtual machines with unique, hardware-generated keys, isolating them from the hypervisor and other VMs on the same physical host.
SEV operates by tagging data with a VM-specific key in the on-chip memory controller, so any attempt by the hypervisor or another VM to read encrypted memory pages results in unintelligible ciphertext. The encryption keys are generated and managed entirely within the dedicated Platform Security Processor (PSP), a discrete ARM core on the AMD SoC, ensuring the host operating system and hypervisor have no visibility into the cryptographic material.
Key Features of AMD SEV
AMD Secure Encrypted Virtualization (SEV) provides a foundational set of hardware capabilities that isolate virtual machines from the hypervisor. These features encrypt VM memory with per-VM keys, ensuring data-in-use confidentiality in shared cloud environments.
Per-VM Memory Encryption Keys
Each virtual machine is assigned a unique AES-128 encryption key managed by the AMD Secure Processor. This key encrypts the VM's entire memory space, making data unintelligible to the hypervisor, other VMs, or any unauthorized entity on the physical host.
- Key Isolation: The hypervisor never has access to the plaintext encryption key.
- Hardware Root of Trust: Key generation and management occur within the dedicated AMD Secure Processor, a separate ARM core on the CPU die.
- Transparent Operation: Encryption and decryption happen in-line at the memory controller with minimal performance overhead.
Hypervisor Isolation
SEV fundamentally changes the trust model of virtualization by removing the hypervisor from the Trusted Computing Base (TCB). Even a compromised or malicious hypervisor cannot read the plaintext memory of a protected guest VM.
- Privilege De-escalation: The hypervisor retains control over scheduling and resource allocation but loses visibility into VM memory contents.
- Mitigation of Insider Threats: Protects against rogue cloud administrators with physical or administrative access to the host.
- Register State Protection: Guest VM CPU registers are also encrypted during context switches to prevent information leakage.
Secure Encrypted Virtualization - Encrypted State (SEV-ES)
SEV-ES extends the base SEV protection by encrypting the guest VM's CPU register state on each hypervisor transition. This prevents the hypervisor from inspecting register values during VM exits caused by interrupts or I/O operations.
- Control Flow Integrity: Prevents the hypervisor from manipulating the guest's instruction pointer or stack pointer.
- Automatic State Encryption: The hardware automatically encrypts and decrypts register state during
VMRUNandVMEXIToperations. - Exception Handling: Even during guest-triggered exceptions, the register state presented to the hypervisor is encrypted.
Secure Nested Paging (SEV-SNP)
SEV-SNP adds memory integrity protection to prevent malicious hypervisor attacks like data replay, memory remapping, and page table tampering. It introduces a Reverse Map Table (RMP) managed by the Secure Processor.
- Reverse Map Table (RMP): Tracks ownership and permissions for every physical page assigned to a guest, enforcing that a page can only be mapped into one guest at a time.
- Page Validation: The guest VM can cryptographically validate the contents and permissions of a page before accepting it into its address space.
- Replay Attack Prevention: Prevents the hypervisor from substituting a stale, previously valid page to trick the guest.
Cryptographic Attestation
SEV-SNP provides a hardware-rooted attestation mechanism that allows a guest VM owner to cryptographically verify the integrity of the firmware, hypervisor, and initial VM state before provisioning secrets.
- Remote Attestation Flow: The AMD Secure Processor signs a measurement report containing the SHA-384 hash of the initial guest memory and firmware.
- Identity Key (IDK): A unique, chip-specific key used to sign attestation reports, verifiable against AMD's Certificate Authority chain.
- Guest-Requested Attestation: The guest VM can request an attestation report at any time to prove its ongoing integrity to external services.
Live Migration with Confidentiality
SEV-SNP supports the live migration of confidential VMs between physical hosts without exposing plaintext memory. The migration process maintains encryption and integrity throughout the transfer.
- Migration Agent (MA): A privileged helper within the guest that orchestrates the secure transfer of encrypted pages.
- Page Re-encryption: Memory pages are re-encrypted with a transport key before leaving the source host and re-encrypted with the destination VM's key upon arrival.
- Attested Destination: The source VM can attest the destination platform before initiating the migration to ensure it is a genuine, trusted AMD SEV-SNP host.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about AMD Secure Encrypted Virtualization (SEV), its extensions, and its role in confidential computing for sovereign AI infrastructure.
AMD Secure Encrypted Virtualization (SEV) is a hardware-based memory encryption feature integrated into AMD EPYC processors that cryptographically isolates a virtual machine (VM) from the hypervisor and other VMs on the same physical host. It works by integrating an AES-128 encryption engine directly into the on-die memory controller. During a VM's creation, the AMD Secure Processor (AMD-SP), a dedicated ARM-based security co-processor, generates a unique VM Encryption Key (VEK). All data written by that specific VM to DRAM is transparently encrypted with its VEK, and decrypted when read back. This means that even if the hypervisor—which is responsible for managing memory—is compromised or malicious, it can only access the encrypted ciphertext, not the plaintext data. This protects data-in-use from privileged insider threats, making SEV a foundational technology for confidential computing in sovereign cloud deployments where the infrastructure operator must be excluded from the trust boundary.
Related Terms
Core technologies and concepts that extend or interact with AMD Secure Encrypted Virtualization to build a complete confidential computing architecture.
Attestation
The cryptographic process that proves a VM is running on genuine AMD hardware with SEV enabled. The AMD Platform Security Processor (PSP) signs an attestation report containing:
- The VM's measurement (hash of initial memory and firmware)
- The Platform Diffie-Hellman key for secure session establishment
- The chip's endorsement key chain rooted in AMD's certificate authority A remote party verifies this report before provisioning secrets or sensitive data to the VM.
Trusted Computing Base (TCB)
The set of all hardware, firmware, and software components critical to a system's security. SEV dramatically shrinks the TCB by removing the hypervisor, host OS, and cloud provider administrators from the trust boundary. The remaining TCB includes:
- The AMD System-on-Chip (SoC) and PSP
- The guest VM's kernel and application
- The SEV firmware running on the PSP A smaller TCB reduces the attack surface and simplifies formal verification.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us