WilliamLam.com

Support for Virtual Trusted Platform Module (vTPM) on ESXi without vCenter Server?

by // 27 Comments

Starting with vSphere 6.7, users have been able to add a Virtual Trusted Platform Module (vTPM) to a VM, enabling guest operating systems to create and store private keys using a software-based representation of a physical TPM 2.0 chip, that is completely transparent to the underlying OS.

A major benefit of using vTPM is that a physical TPM chip is NOT required in the underlying ESXi host and the vTPM secrets are protected by encrypting the .nvram file, where the secrets are stored.

The encryption keys that are used to encrypt the vTPM is provisioned by a key provider, which can be either be an external Standard Key Provider (SKP) that is KMIP-compliant or using vCenter Server's built-in Native Key Provider (NKP). It is the management of these key providers and their workflows that requires the use of vCenter Server, providing a centralized control plane and a seamless user experience when using the vTPM feature.

Most recently, I saw an influx of inquiries from our field and customers asking about using vTPM with a standalone ESXi host that is NOT managed by vCenter Server, primarily for homelab purposes. While this question has come up in the past, the increased interests might be due to more folks looking to deploy Windows 11, which now has a requirement of a TPM.

While sharing this observation with our lead engineer for VM Encryption, I came to learn that while vCenter Server is highly recommended for a good vTPM user experience, it is technically NOT required for vTPM to function. This sounded very intriguing but surely this solution would NOT be supported right?!

Interestingly, vCenter Server simply uses a set of public vSphere APIs that are available directly on an ESXi host to add or remove encryption keys that is generated from the key provider but the functionality to manage the encryption keys are available on an ESXi host. While this "manual" method is not as seamless as using vCenter Server, you can enable vTPM for a VM using a standalone ESXi host that is not managed by vCenter Server in a completely supported manner!

The lesson here, do not always assume something is NOT supported until you have been told it is NOT supported and always be learning! 😁

[Read more...]

How to download offline copy of the Tanzu Kubernetes releases (TKr) Content Library?

by // 2 Comments

As part of the setup for vSphere with Tanzu, a local vSphere Content Library needs be created to store the various Tanzu Kubernetes releases (TKr) which users typically synchronize from VMware's online TKr Content Library repository.


I typically recommend configuring the content library subscription to only download files when needed, rather than the entire library, which is currently over 200GB+.

After standing up another vSphere with Tanzu environment, I needed to download additional TKr images but I could not reuse my existing subscribed content library since it was configured on a different vCenter Server.

With the ability to host a custom vSphere Content Library on my Synology, I realized a better solution would be for me to simply download the full VMware TKr Content Library and host that locally on my network rather than re-downloading the same images each time I have a new deployment.

[Read more...]

Exploring GenAI with a private ChatGPT solution using my own blog posts

by // 3 Comments

Generative AI (GenAI) has taken the world by storm and not just in tech but it has also infiltrated every single industry with billions of dollars (here, here, here, here, here, here, here & here) being invested to unlock its hidden potentials.

I am sure many of you have already experimented with some aspect of GenAI whether that is using chat interfaces like OpenAI's ChatGPT or Google Bard to the impressive text-to-image generation tools like DALL-E from OpenAI, Midjourney and Stable Diffusion from Stability.AI to just name a few.

I use ChatGPT/Bard on a regular basis to help me debug cryptic Linux error message to helping me a craft complex regular expression to generating random PowerShell snippets for automating various tasks, the possibilities even for IT Administrators are pretty endless. My workflow typically includes the use of ChatHub, an all-in-one chatbot browser plugin that allows me to use both ChatGPT and Bard simultaneously to compare and/or identify the best possible answer.

Until recently, solutions like ChatGPT only have access to data trained up to Sept 2021 but even with this constraint, the biggest issue that plagues all of these AI models are their hallucinations. AI hallucinations is where an AI simply makes up responses believing that it is factual and while this problem is being worked on by the broader industry, it certainly makes it difficult to trust and validate an answer before using it yourself. I have certainly seen this first hand when asking ChatGPT to generate some code, I would say it is usually 60/40% correct but I often have to verify and re-prompt when I know the syntax or answer is completely wrong.

While using these platforms, I had been thinking about a personal use case of mines and I was curious if other bloggers or even some of my readers might be able relate?

[Read more...]