Starting with VMware Cloud Director 10.4.2, you can create, copy, and edit VMs and vApps with Trusted Platform Module (TPM) devices. A TPM is a software-based representation of a physical Trusted Platform Module 2.0 chip. A TPM acts as any other virtual device.
TPMs provide hardware-based, security-related functions such as random number generation, attestation, key generation, and more. When you add a TPM to a VM, the TPM enables the guest operating system to create and store private keys. The guest operating system cannot access these keys, which reduces the VM attack surface. Usually, compromising the guest operating system compromises its secrets, but enabling a TPM greatly reduces this risk. Only the guest operating system can use these keys for encryption or signing. With an attached TPM, a client can remotely attest the identity of the VM, and verify the software that it is running.
A TPM does not require a physical Trusted Platform Module 2.0 chip to be present on the ESXi host. From the perspective of the VM, a TPM is a virtual device. You can add a TPM to either a new or an existing VM. To secure vital TPM data, a TPM depends on the VM encryption, and you must configure a key provider. When you configure a TPM, the VM files are encrypted but not the disks.
For tenant-relevant information, see Working with Virtual Machines.
- Virtual machine requirements
- EFI firmware
- VM hardware version 14 and later
- Component requirements
- vCenter Server 6.7 and later for Windows VMs vCenter Server 7.0 Update 2 and later for Linux VMs
- Native, standard, or trusted key provider configured for vCenter Server. See the Configuring and Managing a Standard Key Provider, Configuring and Managing vSphere Native Key Provider, or Trusted Infrastructure Overview chapters in the VMware vSphere Security documentation.
- Guest OS support
- Linux
- Windows Server 2008 and later
- Windows 7 and later
- Copy a VM
- Move a VM
- Copy a vApp
- Move a vApp
- Instantiate a vApp template when the template copies the TPM during instantiation.
- Save a vApp as a vApp template to a catalog
- Add a standalone VM to a catalog
- Create a vApp template from an OVF file
- Import a VM from vCenter Server
- The key provider used to encrypt each VM must be registered on the target vCenter Server instance under the same name.
- The VM and the target vCenter Server instance are on the same shared storage. Alternatively, fast cross vCenter Server vApp instantiation must be activated. See the fast cross vCenter Server vApp instantiation information in the VMware Cloud Director 10.4 Release Notes.
- Save a vApp as a vApp template to a catalog
- Add a standalone VM to a catalog
- Create a vApp template from an OVF file
- Importing a VM from vCenter Server as a template
- Copy a VM
- Copy a vApp
- Compose a vApp
Operation | vCenter Server 7.x | vCenter Server 8.x |
---|---|---|
Create a Standalone Virtual Machine | New TPM device | New TPM device |
Create a Virtual Machine from a Template | Copy and replace Depends on the specific VM template. |
Copy and replace Depends on the specific VM template. |
Build a New vApp | Copy and replace Depends on the specific VM templates. |
Copy and replace Depends on the specific VM templates. |
Create a vApp From an OVF Package | New TPM device Uploading an OVF with a TPM |
New TPM device Uploading an OVF with a TPM |
Create a vApp from a vApp Template | Copy and replace Depends on the vApp template. |
Copy and replace Depends on the vApp template. |
Import a Virtual Machine from vCenter Server as a vApp | Copy | Copy |
Add a Virtual Machine to a vApp | New TPM device | New TPM device |
Add a VM from a Template to a vApp | Copy and replace Depends on the specific VM template. |
Copy and replace Depends on the specific VM template. |
Copy a Virtual Machine to a Different vApp | Copy | Copy and replace |
Move a Virtual Machine to a Different vApp | Copy | Copy |
Copy Applies to all TPM devices within the vApp. |
Copy and replace Applies to all TPM devices within the vApp. |
|
Save a vApp as a vApp Template to a Catalog | Copy and replace | Copy and replace |
Create a vApp Template from an OVF File | New TPM device Uploading an OVF with a TPM |
New TPM device Uploading an OVF with a TPM |
If you do not specify whether to copy or replace a TPM device in the API, VMware Cloud Director copies the TPM by default. When performing operations on vApps in the UI, the option to copy or replace TPM applies to all VMs within the vApp.
- If the template was created by using VMware Cloud Director, the instantiation copies or replaces the TPM device based on the selected TPM Provisioning option when the template was captured.
- If the template was created by uploading an OVF or OVA, the instantiation replaces the TPM device.
- If the template was created by importing a VM from vCenter Server, the instantiation copies the TPM device.
- If the target vCenter Server meets the TPM requirements, you can perform instantiations across vCenter Server instances for templates for which VMware Cloud Director replaces the TPM devices during instantiation.
When using the VMware Cloud Director API, VMware Cloud Director supports the moveVApp API for VMs with a TPM device if the target vCenter Server instance contains the key provider associated with the VM. There is no shared storage requirement for the moveVApp API. There are shared storage requirements for other operations that involve moving a vApp.
Importing a VM containing a TPM device from a vCenter Server instance as a vApp preserves the TPM device for the copy
and move
operations.
For TPM prerequisites for vCenter Server, see the prerequisite sections in Create a Virtual Machine with a Virtual Trusted Platform Module or Add Virtual Trusted Platform Module to an Existing Virtual Machine in the vSphere Security guide.