Wednesday 17 October 2018

vTPM in vSphere 6.7

Today, we've been talking about vTPM and TPM in VMware vSphere 6.7, so I thought I'd put some information up to share with my delegates.


Trusted Platform Module (TPM) chips are found in most of today's computers, from laptops, to desktops, to servers.
The TPM chip usually is part of the system board and therefore the user may not be able to change it after purchase.
It is important to select the correct TPM hardware at the time of purchase.
VMware vSphere ESXi 6.7 can use Trusted Platform Module (TPM) chips to enhance host security.
TPM protects from software-based attacks that attempt to steal sensitive information by corrupting system and BIOS code, or by modifying the platform’s configuration.
TPM is an industry-wide standard for secure crypto-processors. The Trusted Computing Group (TCG) is responsible for TPM technical specifications.
The dedicated microprocessor is designed to secure hardware by integrating cryptographic keys into devices.
VMware vSphere 6.7 introduces support for TPM 2.0. TPM 1.2 and TPM 2.0 are two vastly different implementations: • Servers are shipped with either the TPM 1.2 or the TPM 2.0 chip.
VMware vSphere 6.7 introduces support for the Virtual Trusted Platform Module (vTPM) device, which lets you add a TPM 2.0 virtual crypto-processor to a VM.
A vTPM device is a software emulation of the TPM functionality. It enables the guest operating system to create and store private keys in such a way that they are never exposed to this guest operating system.
It enables the guest operating system to use the private key for encryption or signing.
With a vTPM device, a third party can remotely attest to (validate) the identity of the firmware and the guest operating system. vTPM has the following use cases:
·         An operating system can verify that the firmware loaded was not compromised since the last run.
·         An application can verify that the operating system did not load any malicious components
vTPM depends on VM encryption to secure virtual TPM data.
When you configure vTPM, VM encryption automatically encrypts the VM’s home directory (which contains nvram, *.vmx, *.vmsn, snapshots, core files, and so on) but not the disks. You can choose to add encryption explicitly for the VM and its disks. You can back up a VM enabled with a vTPM: • The backup must include all VM data, including the nvram file.
·         If your backup does not include the nvram file, then you cannot restore a VM with a vTPM.
·         Since the VM home files are encrypted, ensure that the encryption keys are available at the time of a restore.
You can remove a vTPM from a VM. However, removing vTPM causes all encrypted information on a VM to become unrecoverable.
Before removing vTPM from a VM, disable any applications in the guest operating system that use vTPM
Component requirements
·         ESXi 6.7
·         vCenter Server 6.7
·         KMS configured in vCenter Server to encrypt a VM
Virtual machine requirements:
·         EFI firmware
·         Virtual machine hardware version 14 or later
·         Windows 10 (64-bit) or Windows Server 2016 (64-bit) guest operating system
vTPM does not require a physical TPM 2.0 chip to be present on the ESXi host. However, if you want to perform host attestation, an external entity, such as a TPM 2.0 physical chip, is required.
For an excellent quick visual overview, watch Mike from VMware's presentation.




Monday 15 October 2018

Free eBook from VMware - Modern PC Management

VMware have very kindly made available another free ebook entitled:

Modern PC Management for Dummies

The book covers the following:

This is straight from the Intro page.

"Welcome to Modern PC Management For Dummies, your guide to effectively managing desktop, mobile, and rugged devices in the heterogeneous world of today’s  business IT.
First of all, what do we mean by “modern PC management”? In the context of this book, PC management refers to an IT department’s ability to effectively commission, support, and decommission computing devices assigned to individual users. The old methods that IT departments of the past have employed just aren’t cutting it anymore; modern solutions are needed to address today’s management issues.

Modern management brings the efficiency of mobile device management (MDM) with the full breath of capabilities of PC lifecycle management (PCLM) to enable UEM via a digital workspace platform. The digital workspace collapses the silos between mobile and desktop management and even line‐of‐business application management to enable all devices."

The book comprises of 5 chapters over 58 pages and is authored by Kevin Strohmeyer, Aditya Kunduri, and Justin Grimsley

Definitely worth a read.

Wednesday 3 October 2018

vSAN 6.7 and what's to come

Today I've been talking about vSAN in relation to the vSAN 6.6 Deploy and Manage Course.

I was lucky enough to be at the March Newcastle upon Tyne North East VMUG meeting, and Duncan Epping was one of the key note speakers, I recalled that he gave us a session on VMware vSAN 6.7 and what was to come.

The presentation is available on YouTube and if you've got an hour spare, it's worth a watch.

 

Join Duncan Epping, Chief Technologist VMware EMEA to learn about the new features and functionality of vSAN 6, how this release delivers a more intuitive operating experience, a more consistent application experience, whilst offering a more holistic support experience for our customers.