Trusted
Platform Module (TPM) chips are found in most of today's computers, from
laptops, to desktops, to servers.
The
TPM chip usually is part of the system board and therefore the user may not be
able to change it after purchase.
It
is important to select the correct TPM hardware at the time of purchase.
VMware
vSphere ESXi 6.7 can use Trusted Platform Module (TPM) chips to enhance host
security.
TPM
protects from software-based attacks that attempt to steal sensitive
information by corrupting system and BIOS code, or by modifying the platform’s
configuration.
TPM
is an industry-wide standard for secure crypto-processors. The Trusted
Computing Group (TCG) is responsible for TPM technical specifications.
The
dedicated microprocessor is designed to secure hardware by integrating
cryptographic keys into devices.
VMware
vSphere 6.7 introduces support for TPM 2.0. TPM 1.2 and TPM 2.0 are two vastly
different implementations: • Servers are shipped with either the TPM 1.2 or the
TPM 2.0 chip.
VMware
vSphere 6.7 introduces support for the Virtual Trusted Platform Module (vTPM)
device, which lets you add a TPM 2.0 virtual crypto-processor to a VM.
A
vTPM device is a software emulation of the TPM functionality. It enables the
guest operating system to create and store private keys in such a way that they
are never exposed to this guest operating system.
It
enables the guest operating system to use the private key for encryption or
signing.
With
a vTPM device, a third party can remotely attest to (validate) the identity of
the firmware and the guest operating system. vTPM has the following use cases:
·
An
operating system can verify that the firmware loaded was not compromised since
the last run.
·
An
application can verify that the operating system did not load any malicious
components
vTPM
depends on VM encryption to secure virtual TPM data.
When
you configure vTPM, VM encryption automatically encrypts the VM’s home
directory (which contains nvram, *.vmx, *.vmsn, snapshots, core files, and so
on) but not the disks. You can choose to add encryption explicitly for the VM
and its disks. You can back up a VM enabled with a vTPM: • The backup must
include all VM data, including the nvram file.
·
If
your backup does not include the nvram file, then you cannot restore a VM with
a vTPM.
·
Since
the VM home files are encrypted, ensure that the encryption keys are available
at the time of a restore.
You
can remove a vTPM from a VM. However, removing vTPM causes all encrypted
information on a VM to become unrecoverable.
Before
removing vTPM from a VM, disable any applications in the guest operating system
that use vTPM
Component
requirements
·
ESXi
6.7
·
vCenter
Server 6.7
·
KMS
configured in vCenter Server to encrypt a VM
Virtual machine
requirements:
·
EFI
firmware
·
Virtual
machine hardware version 14 or later
·
Windows
10 (64-bit) or Windows Server 2016 (64-bit) guest operating system
vTPM
does not require a physical TPM 2.0 chip to be present on the ESXi host.
However, if you want to perform host attestation, an external entity, such as a
TPM 2.0 physical chip, is required.
For an excellent quick visual overview, watch Mike from VMware's presentation.