Wednesday, 17 October 2018

vTPM in vSphere 6.7

Today, we've been talking about vTPM and TPM in VMware vSphere 6.7, so I thought I'd put some information up to share with my delegates.

Trusted Platform Module (TPM) chips are found in most of today's computers, from laptops, to desktops, to servers.
The TPM chip usually is part of the system board and therefore the user may not be able to change it after purchase.
It is important to select the correct TPM hardware at the time of purchase.
VMware vSphere ESXi 6.7 can use Trusted Platform Module (TPM) chips to enhance host security.
TPM protects from software-based attacks that attempt to steal sensitive information by corrupting system and BIOS code, or by modifying the platform’s configuration.
TPM is an industry-wide standard for secure crypto-processors. The Trusted Computing Group (TCG) is responsible for TPM technical specifications.
The dedicated microprocessor is designed to secure hardware by integrating cryptographic keys into devices.
VMware vSphere 6.7 introduces support for TPM 2.0. TPM 1.2 and TPM 2.0 are two vastly different implementations: • Servers are shipped with either the TPM 1.2 or the TPM 2.0 chip.
VMware vSphere 6.7 introduces support for the Virtual Trusted Platform Module (vTPM) device, which lets you add a TPM 2.0 virtual crypto-processor to a VM.
A vTPM device is a software emulation of the TPM functionality. It enables the guest operating system to create and store private keys in such a way that they are never exposed to this guest operating system.
It enables the guest operating system to use the private key for encryption or signing.
With a vTPM device, a third party can remotely attest to (validate) the identity of the firmware and the guest operating system. vTPM has the following use cases:
·         An operating system can verify that the firmware loaded was not compromised since the last run.
·         An application can verify that the operating system did not load any malicious components
vTPM depends on VM encryption to secure virtual TPM data.
When you configure vTPM, VM encryption automatically encrypts the VM’s home directory (which contains nvram, *.vmx, *.vmsn, snapshots, core files, and so on) but not the disks. You can choose to add encryption explicitly for the VM and its disks. You can back up a VM enabled with a vTPM: • The backup must include all VM data, including the nvram file.
·         If your backup does not include the nvram file, then you cannot restore a VM with a vTPM.
·         Since the VM home files are encrypted, ensure that the encryption keys are available at the time of a restore.
You can remove a vTPM from a VM. However, removing vTPM causes all encrypted information on a VM to become unrecoverable.
Before removing vTPM from a VM, disable any applications in the guest operating system that use vTPM
Component requirements
·         ESXi 6.7
·         vCenter Server 6.7
·         KMS configured in vCenter Server to encrypt a VM
Virtual machine requirements:
·         EFI firmware
·         Virtual machine hardware version 14 or later
·         Windows 10 (64-bit) or Windows Server 2016 (64-bit) guest operating system
vTPM does not require a physical TPM 2.0 chip to be present on the ESXi host. However, if you want to perform host attestation, an external entity, such as a TPM 2.0 physical chip, is required.
For an excellent quick visual overview, watch Mike from VMware's presentation.