Trusted platform module (TPM) is a hardware device that can establish a chain of trust for the software that is being loaded onto a machine. VMware virtual TPM (vTPM) is a fully compatible implementation for virtual machine equivalence.

If you want a VM to contain a vTPM device, you can either create it as a placeholder in the OVF and have it auto configured, or you add the vTPM device after OVF import.

Prepare OVF with Virtual TPM Placeholder

This procedure is convenient for OVF re-use in the long run, but requires more work initially:

  1. Prepare the guest VM for vTPM removal by ensuring that none of its applications are using the vTPM device, such as BitLocker, etc.
  2. Remove the vTPM device from the VM. The VM home will be decrypted unless there is a feature or policy that requires encryption.
  3. If it was encrypted, decrypt the VM. OVF export does not work on encrypted VMs, so the VM must be decrypted before export.
  4. Export the VM.
    • Using ovftool (recommended) you can add a vTPM placeholder in the destination OVF descriptor with the addDevice:vtpm option. This option creates the vTPM placeholder in the destination OVF descriptor (file.ovf) and calculates the proper manifest file checksum. For example:
      ovftool --addDevice:vtpm vi://user:pass@my_vc/datacenter?ds=[Storage1] vm/vm.vmx c:\ovfs\
    • Using the vSphere Client UI (more difficult) you can export the VM to an OVF template. After export, open the OVF descriptor file (file.ovf) and manually add a vTPM device placeholder, as below.

      You must also open the OVF manifest file (.mf) and fix the SHA256 checksum for the .ovf file. Because you manually edited the OVF descriptor file, the checksums in the OVF manifest are no longer correct. You must recalculate the checksum for the .ovf file and manually set it in the manifest file.

      (Optional) Re-sign the OVF template if it should be security signed. Perform this step after editing the .ovf and .mf files.

      <Item ovf:required="false">
        <rasd:AutomaticAllocation>false</rasd:AutomaticAllocation>
        <rasd:ElementName>Virtual TPM</rasd:ElementName>
        <rasd:InstanceID>13</rasd:InstanceID>
        <rasd:ResourceSubType>vmware.vtpm</rasd:ResourceSubType>
        <rasd:ResourceType>1</rasd:ResourceType>
      </Item>
  5. Import the OVF to VSphere. You can do this with ovftool. Upon importing the VM, the vTPM device will be auto-provisioned, and a unique Endorsement Key (EK) will be generated.
Note: The OVF descriptor will contain a placeholder for a vTPM device, which does not contain any secrets. The actual EK will be set upon when creating a VM from this OVF template upon import.

Prepare OVF and Add Virtual TPM During or After Import

  1. Prepare the guest VM for vTPM removal by ensuring that none of its applications are using the vTPM device, such as BitLocker, etc
  2. Remove the vTPM device from the VM. The VM home will be decrypted unless there is a feature or policy that requires encryption.
  3. If it was encrypted, decrypt the VM. OVF export does not work on encrypted VMs, so the VM must be decrypted before export.
  4. Export the VM. You can do this either with the vSphere Client UI or with ovftool.
  5. Import the OVF into vSphere.
    • Unless the OVF contains a vTPM placeholder, import using the ovftool --addDevice:vtpm option. Specifying this option on the command line creates a vTPM device attached to the destination VM. If the OVF contains a vTPM placeholder, you do not need the --addDevice option. The placeholder will automatically become a vTPM device on the imported VM.
    • With the vSphere Client, import the VM. After importing the VM, you can add a vTPM device manually using the vSphere Client.