Trusted platform module (TPM) is the standard for a dedicated microchip that can store sensitive data, perform cryptographic tasks, and ensure platform integrity by establishing a chain of trust for software loaded onto a machine. It assures integrity by calculating a message digest for each software component that gets loaded, storing the message digest in platform configuration register.
Enabling vTPM in a Virtual Machine
Virtual TPM (vTPM) is a software implementation of TPM provided in virtual hardware version 14. In other words, vSphere 6.7 offers vTPM for newly created or upgraded VMs. Because vTPM is encrypted, encryption services must be present on the network. Backup and restore of a vTPM enabled VM is similar to backup and restore of an encrypted VM, with these additional requirements.
- Each involved vCenter Server must be configured with the same key management server (KMS).
- Before adding the vTPM device to a VM, the
ConfigInfo.firmware
type must be set toefi
, notbios
. When you add a VM with encryption storage policy, vSphere encrypts the VM Home including vTPM. - To preserve vTPM in a restored VM, the
ConfigInfo.keyId
,encryption.bundle
, NVRAM file, and vTPM device of the source VM must be saved at backup time, for later restore. Saving an NVRAM file requires use of the HTTP file service.
Backup with vTPM
To back up a vTPM enabled VM, follow these steps, as in the sample code below.
- Back up the
keyId
andencryption.bundle
of the source VM fromconfigInfo
. - Back up the vTPM device of the source VM from
configInfo
. - Back up property
firmware
of the source VM fromconfigInfo
.
// get source VM config VirtualMachineConfigInfo sourceVmConfigInfo = ... ; // save keyId CryptoKeyId keyId = sourceVmConfigInfo.getKeyId(); // save encryption.bundle, which is in extraConfig List<OptionValue> extraCfg = sourceVmConfigInfo .getExtraConfig(); // save firmware String firmware = sourceVmConfigInfo.getFirmware(); // save vTPM device VirtualDevice vtpmDevice = null; for (VirtualDevice virtualDevice : sourceVmConfigInfo.getHardware().getDevice()) { if (virtualDevice instanceof VirtualTPM) { vtpmDevice = virtualDevice; } // save other devices // ... } // save nvram file byte[] nvramByteAry = vsphereFileServiceClient.download(sourceVmNvramFilePath);
Restoring With vTPM
To restore a vTPM enabled VM, follow these steps, as in the sample code below.
- Configure a VM with the same
keyId
andencryption.bundle
as source (requires same KMS). - Make sure an encryption storage policy exists and is assigned to the VM. See "Create an Encryption Storage Policy" in the vSphere Web Services SDK Programming Guide.
- Configure this VM with the same firmware property and vTPM device as the source VM.
- Restore NVRAM using HTTP service. Again, see section "HTTP Access to vSphere Server Files" in the vSphere Web Services SDK Programming Guide.
// create configSpec for VM to be created VirtualMachineConfigSpec configSpec = new VirtualMachineConfigSpec() ; // set keyId CryptoSpecEncrypt cryptoSpec = new CryptoSpecEncrypt(); cryptoSpec.setCryptoKeyId(keyId); configSpec.setCrypto(cryptoSpec); // set encryption.bundle configSpec.setExtraConfig(extraCfg); // // set PbmProfile for encryption // For complete code, see Example: Java program to set storage policy for encryption. // public class CreateVMEncryptionProfile extends ConnectedServiceBase { // private PbmServiceInstanceContent spbmsc; // private String profileName; // ... // for (PbmCapabilityVendorResourceTypeInfo vendor : vendorInfo) // for (PbmCapabilityVendorNamespaceInfo vnsi : vendor .getVendorNamespaceInfo()) // if (vnsi.getNamespaceInfo().getNamespace().equals("vmwarevmcrypt")) { // encryptionCapable = true; // break; // } // ... // set firmware configSpec.setFirmware(firmware); // set vTPM device VirtualDeviceConfigSpec vtpmDeviceConfig = new VirtualDeviceConfigSpec(); vtpmDeviceConfig.setOperation(VirtualDeviceConfigSpecOperation.ADD); vtpmDeviceConfig.setFileOperation(null); vtpmDeviceConfig.setDevice(vtpmDevice); configSpec.getDeviceChange().add(vtpmDeviceConfig); // set other properties and then create restore VM // ... // upload nvram vsphereFileServiceClient.upload(restoreVmNvramFilePath, nvramByteAry