Starting with VMware Cloud Director 10.4.2, you can create, copy, and edit VMs and vApps with Trusted Platform Module (TPM) devices. A TPM is a software-based representation of a physical Trusted Platform Module 2.0 chip. A TPM acts as any other virtual device.

TPMs provide hardware-based, security-related functions such as random number generation, attestation, key generation, and more. When you add a TPM to a VM, the TPM enables the guest operating system to create and store private keys. The guest operating system cannot access these keys, which reduces the VM attack surface. Usually, compromising the guest operating system compromises its secrets, but enabling a TPM greatly reduces this risk. Only the guest operating system can use these keys for encryption or signing. With an attached TPM, a client can remotely attest the identity of the VM, and verify the software that it is running.

A TPM does not require a physical Trusted Platform Module 2.0 chip to be present on the ESXi host. From the perspective of the VM, a TPM is a virtual device. You can add a TPM to either a new or an existing VM. To secure vital TPM data, a TPM depends on the VM encryption, and you must configure a key provider. When you configure a TPM, the VM files are encrypted but not the disks.

For tenant-relevant information, see Working with Virtual Machines.

To add a TPM device to a VM, your vSphere environment must meet certain requirements.
To perform certain operations for VMs with TPM across vCenter Server instances, you must verify that your environment meets certain prerequisites. The operations are:
  • Copy a VM
  • Move a VM
  • Copy a vApp
  • Move a vApp
  • Instantiate a vApp template when the template copies the TPM during instantiation.
  • Save a vApp as a vApp template to a catalog
  • Add a standalone VM to a catalog
  • Create a vApp template from an OVF file
  • Import a VM from vCenter Server
To perform the operations across vCenter Server instances, your environment must meet the following criteria:
  • The key provider used to encrypt each VM must be registered on the target vCenter Server instance under the same name.
  • The VM and the target vCenter Server instance are on the same shared storage. Alternatively, fast cross vCenter Server vApp instantiation must be activated. See the fast cross vCenter Server vApp instantiation information in the VMware Cloud Director 10.4 Release Notes.
For VMs with a TPM device, when the target catalog uses any available storage in an organization which has multiple backing vCenter Server instances, VMware Cloud Director does not support the following operations:
  • Save a vApp as a vApp template to a catalog
  • Add a standalone VM to a catalog
  • Create a vApp template from an OVF file
  • Importing a VM from vCenter Server as a template
If the target vCenter Server instance is version 8.0 or later, you can replace the TPM device of a VM during the following operations:
  • Copy a VM
  • Copy a vApp
  • Compose a vApp
Table 1. TPM Device Options Depending on the vCenter Server Version
Operation vCenter Server 7.x vCenter Server 8.x
Create a Standalone Virtual Machine New TPM device New TPM device
Create a Virtual Machine from a Template Copy and replace

Depends on the specific VM template.

Copy and replace

Depends on the specific VM template.

Build a New vApp Copy and replace

Depends on the specific VM templates.

Copy and replace

Depends on the specific VM templates.

Create a vApp From an OVF Package New TPM device

Uploading an OVF with a TPM RASD section attaches a new TPM device to each VM with a defined TPM.

New TPM device

Uploading an OVF with a TPM RASD section attaches a new TPM device to each VM with a defined TPM.

Create a vApp from a vApp Template Copy and replace

Depends on the vApp template.

Copy and replace

Depends on the vApp template.

Import a Virtual Machine from vCenter Server as a vApp Copy Copy
Add a Virtual Machine to a vApp New TPM device New TPM device
Add a VM from a Template to a vApp Copy and replace

Depends on the specific VM template.

Copy and replace

Depends on the specific VM template.

Copy a Virtual Machine to a Different vApp Copy Copy and replace
Move a Virtual Machine to a Different vApp Copy Copy

Copy a Stopped vApp to Another VDC

Copy a Powered-On vApp

Copy

Applies to all TPM devices within the vApp.

Copy and replace

Applies to all TPM devices within the vApp.

Save a vApp as a vApp Template to a Catalog Copy and replace Copy and replace
Create a vApp Template from an OVF File New TPM device

Uploading an OVF with a TPM RASD section attaches a new TPM device to each VM with a defined TPM.

New TPM device

Uploading an OVF with a TPM RASD section attaches a new TPM device to each VM with a defined TPM.

If you do not specify whether to copy or replace a TPM device in the API, VMware Cloud Director copies the TPM by default. When performing operations on vApps in the UI, the option to copy or replace TPM applies to all VMs within the vApp.

When instantiating a VM from a vApp template containing a TPM device there are some considerations you must take into account.
  • If the template was created by using VMware Cloud Director, the instantiation copies or replaces the TPM device based on the selected TPM Provisioning option when the template was captured.
  • If the template was created by uploading an OVF or OVA, the instantiation replaces the TPM device.
  • If the template was created by importing a VM from vCenter Server, the instantiation copies the TPM device.
  • If the target vCenter Server meets the TPM requirements, you can perform instantiations across vCenter Server instances for templates for which VMware Cloud Director replaces the TPM devices during instantiation.

When using the VMware Cloud Director API, VMware Cloud Director supports the moveVApp API for VMs with a TPM device if the target vCenter Server instance contains the key provider associated with the VM. There is no shared storage requirement for the moveVApp API. There are shared storage requirements for other operations that involve moving a vApp.

Importing a VM containing a TPM device from a vCenter Server instance as a vApp preserves the TPM device for the copy and move operations.

For TPM prerequisites for vCenter Server, see the prerequisite sections in Create a Virtual Machine with a Virtual Trusted Platform Module or Add Virtual Trusted Platform Module to an Existing Virtual Machine in the vSphere Security guide.