TPM

Quick Tip - Which vCenter Server Key Provider (KMS) is a VM using?

03.27.2025 by William Lam // 3 Comments

vCenter Server requires a Key Management Service (KMS) for enabling VM Encryption, vTPM, or vSAN Encryption. Users have the choice of configuring the embedded Native Key Provider (NKP) built into vCenter Server and/or use an external KMS with the Standard Key Provider (SKP) option.

If you have more than one KMS configured in vCenter Server, you can specify one of the KMS key providers to be your default, which will automatically be used for any KMS-related activities. You can switch between the default KMS key provider and you can certainly specify a specific KMS key provider when using the vSphere API to provision a VM that will leverage VM encryption.

So how do you figure out which KMS key provider a VM is using?

[Read more...]

Clearing TPM alarms after replacing TPM chip or resetting TPM keys for ESXi

06.07.2023 by William Lam // 13 Comments

If you have a supported Trusted Platform Module (TPM) device that has been installed in your ESXi host after the initial installation and you either replace the TPM chip and/or you reset the TPM keys within the system BIOS, you may find several TPM alarms that is raised within your vCenter Server including:

Host TPM attestation alarm
TPM Encryption Recovery Key Backup Alarm
The new host TPM endorsement key doesn't match the one stored in the DB

I recently had to resolve this in my lab after clearing the TPM keys within the system BIOS, this was for some testing I was doing, but I could not figure out how to get vCenter Server to clear the previous endorsement keys associated with the ESXi host.

After a bit of searching, I came across this VMware KB 81446 which outlines a solution to one the scenarios I mentioned above where you would see these TPM alarms, which is replacing the TPM chip, but I came to find out that the workflow is also applicable if you had cleared the TPM keys and new ones were generated prior to re-installing ESXi. The KB was missing a some details, which I have already shared in the feedback and I think there is a more streamline method which I have shared below.

[Read more...]

Quick Tip - TPM 2.0 connection cannot be established after upgrading to ESXi 8.0

10.18.2022 by William Lam // 12 Comments

There has been several reports from folks internally and within the community that after upgrading to ESXi 8.0, they are now seeing the following TPM error message:

TPM 2.0 device detected but a connection cannot be established.

The common theme between all these reported cases that I have seen is that they are all using an Intel NUC. While the Intel NUCs may list TPM support, they do not support either TPM Interface Specification (TIS) for TPM 1.2 or the First In, First Out (FIFO) for TPM 2.0, which are industry standards for communicating with a TPM device that ESXi uses.

[Read more...]