WilliamLam.com

Support for Virtual Trusted Platform Module (vTPM) on ESXi without vCenter Server?

by // 28 Comments

Starting with vSphere 6.7, users have been able to add a Virtual Trusted Platform Module (vTPM) to a VM, enabling guest operating systems to create and store private keys using a software-based representation of a physical TPM 2.0 chip, that is completely transparent to the underlying OS.

A major benefit of using vTPM is that a physical TPM chip is NOT required in the underlying ESXi host and the vTPM secrets are protected by encrypting the .nvram file, where the secrets are stored.

The encryption keys that are used to encrypt the vTPM is provisioned by a key provider, which can be either be an external Standard Key Provider (SKP) that is KMIP-compliant or using vCenter Server's built-in Native Key Provider (NKP). It is the management of these key providers and their workflows that requires the use of vCenter Server, providing a centralized control plane and a seamless user experience when using the vTPM feature.

Most recently, I saw an influx of inquiries from our field and customers asking about using vTPM with a standalone ESXi host that is NOT managed by vCenter Server, primarily for homelab purposes. While this question has come up in the past, the increased interests might be due to more folks looking to deploy Windows 11, which now has a requirement of a TPM.

While sharing this observation with our lead engineer for VM Encryption, I came to learn that while vCenter Server is highly recommended for a good vTPM user experience, it is technically NOT required for vTPM to function. This sounded very intriguing but surely this solution would NOT be supported right?!

Interestingly, vCenter Server simply uses a set of public vSphere APIs that are available directly on an ESXi host to add or remove encryption keys that is generated from the key provider but the functionality to manage the encryption keys are available on an ESXi host. While this "manual" method is not as seamless as using vCenter Server, you can enable vTPM for a VM using a standalone ESXi host that is not managed by vCenter Server in a completely supported manner!

The lesson here, do not always assume something is NOT supported until you have been told it is NOT supported and always be learning! 😁

[Read more...]

Quick Tip - Adding a vTPM (Virtual Trusted Platform Module) to a Nested ESXi VM

by // 3 Comments

I had an interesting question this morning asking whether it was possible to add a vTPM (Virtual Trusted Platform Module) to a Nested ESXi VM? The user was interested in testing a particular scenario with the new vSphere Trust Authority feature that was introduced in the vSphere 7.0. I personally had not done much with vTPM and I had assumed it should just work as long as you have a physical TPM chip in the underlying hardware and you have setup either a Standard or Native Key Provider within your vCenter Server.

The user observed that adding a vTPM to a Windows VM was possible using the vSphere UI but when attempting to perform the same operation on a Nested ESXi VM, the option to add vTPM device was not available. After spending ~30 minutes asking around for hardware that had a physical TPM, I remember that my Quartz Canyon NUC (NUC 9 Pro) is a Xeon based system and it has TPM 2.0 chip. I was able to take a closer look and quickly found the solution was very pretty straight forward!

[Read more...]