A virtual machine (VM) is a software computer that, like a physical computer, runs an operating system and applications. The virtual machine consists of a set of specification and configuration files, and is backed by the physical resources of a host. Every virtual machine has virtual devices that provide the same functionality as physical hardware but are more portable, more secure, and easier to manage.
In addition to the operations that you can run on a physical machine, VMware Cloud Director virtual machines support virtual infrastructure operations, such as taking a snapshot of virtual machine state, and moving a virtual machine from one host to another.
Virtual machines support IPv6 connectivity. You can assign IPv6 addresses to virtual machines connected to IPv6 networks.
Securing Virtual Machines with a Trusted Platform Module
Starting with VMware Cloud Director 10.4.2, you can create, copy, and edit VMs with Trusted Platform Module (TPM) devices. A TPM is a software-based representation of a physical Trusted Platform Module 2.0 chip. A TPM acts as any other virtual device.
TPMs provide hardware-based, security-related functions such as random number generation, attestation, key generation, and more. When you add a TPM to a VM, the TPM enables the guest operating system to create and store private keys. The guest operating system cannot access these keys, which reduces the VM attack surface. Usually, compromising the guest operating system compromises its secrets, but enabling a TPM greatly reduces this risk. Only the guest operating system can use these keys for encryption or signing. With an attached TPM, a client can remotely attest the identity of the VM, and verify the software that it is running.
A TPM does not require a physical Trusted Platform Module 2.0 chip to be present on the ESXi host. From the perspective of the VM, a TPM is a virtual device. You can add a TPM to either a new or an existing VM. To secure vital TPM data, a TPM depends on the VM encryption, and you must configure a key provider. When you configure a TPM, the VM files are encrypted but not the disks.
- The VM is powered off.
- The VM does not have any snapshots.
- A VDC that supports TPM backs the VM.
- The VM firmware is EFI.
- The VM hardware version is version 14 or later.
- The guest OS is compatible with TPM.
- The VM is powered off.
- The VM does not have any snapshots.
To perform certain operations for VMs with TPM across vCenter Server instances, you must verify that your environment meets certain prerequisites.
Operations | Prerequisites |
---|---|
Copy a VM |
|
Move a VM | |
Copy a vApp | |
Move a vApp | |
Create a VM from a template | |
Save a vApp as a vApp template to a catalog | |
Add a standalone VM to a catalog | |
Create a vApp template from an OVF file | |
Import a VM from vCenter Server |
- Save a vApp as a vApp template to a catalog
- Add a standalone VM to a catalog
- Create a vApp template from an OVF file
- Importing a VM from vCenter Server as a template
- Copy a VM
- Copy a vApp
- Compose a vApp
Operation | vCenter Server 7.x | vCenter Server 8.x |
---|---|---|
Create a Standalone Virtual Machine | New TPM device | New TPM device |
Create a VM from a Template | Copy and replace Depends on the specific VM template. |
Copy and replace Depends on the specific VM template. |
Create a vApp Using VM Templates | Copy and replace Depends on the specific VM templates. |
Copy and replace Depends on the specific VM templates. |
Create a vApp From an OVF Package | New TPM device Uploading an OVF with a TPM |
New TPM device Uploading an OVF with a TPM |
Create vApp from Template | Copy and replace Depends on the vApp template. |
Copy and replace Depends on the vApp template. |
Import a VM from vCenter Server as a vApp | Copy | Copy |
Add a new VM to a vApp | New TPM device | New TPM device |
Add a VM from a Template to a vApp | Copy and replace Depends on the specific VM template. |
Copy and replace Depends on the specific VM template. |
Copy a VM to a Different vApp | Copy | Copy and replace |
Move a VM to a Different vApp | Copy | Copy |
Copy Applies to all TPM devices within the vApp. |
Copy and replace Applies to all TPM devices within the vApp. |
|
Save a vApp as a vApp Template to a Catalog | Copy and replace | Copy and replace |
Create a vApp Template from an OVF File | New TPM device Uploading an OVF with a TPM |
New TPM device Uploading an OVF with a TPM |
If you do not specify whether to copy or replace a TPM device in the API, VMware Cloud Director copies the TPM by default. When performing operations on vApps in the UI, the option to copy or replace TPM applies to all VMs within the vApp.
- If the template was created by using VMware Cloud Director, the instantiation copies or replaces the TPM device based on the selected TPM Provisioning option when the template was captured.
- If the template was created by uploading an OVF or OVA, the instantiation replaces the TPM device.
- If the template was created by importing a VM from vCenter Server, the instantiation copies the TPM device.
- If the target vCenter Server meets the TPM requirements, you can perform instantiations across vCenter Server instances for templates for which VMware Cloud Director replaces the TPM devices during instantiation.
If you subscribe to a catalog containing templates with TPM devices, the VMware Cloud Director version of the subscriber must be 10.4.2 or later. If the VMware Cloud Director version of the subscriber is 10.4.1 or earlier, the templates do not contain TPM devices.
For TPM prerequisites for vCenter Server, see the prerequisite sections in Create a Virtual Machine with a Virtual Trusted Platform Module or Add Virtual Trusted Platform Module to an Existing Virtual Machine in the vSphere Security guide.