Trusted platform module (TPM) is the standard for a dedicated microchip that can store sensitive data, perform cryptographic tasks, and ensure platform integrity by establishing a chain of trust for software loaded onto a machine. It assures integrity by calculating a message digest for each software component that gets loaded, storing the message digest in platform configuration register.

Enabling vTPM in a Virtual Machine

Virtual TPM (vTPM) is a software implementation of TPM provided in virtual hardware version 14. In other words, vSphere 6.7 offers vTPM for newly created or upgraded VMs. Because vTPM is encrypted, encryption services must be present on the network. Backup and restore of a vTPM enabled VM is similar to backup and restore of an encrypted VM, with these additional requirements.

  • Each involved vCenter Server must be configured with the same key management server (KMS).
  • Before adding the vTPM device to a VM, the ConfigInfo.firmware type must be set to efi, not bios. When you add a VM with encryption storage policy, vSphere encrypts the VM Home including vTPM.
  • To preserve vTPM in a restored VM, the ConfigInfo.keyId, encryption.bundle, NVRAM file, and vTPM device of the source VM must be saved at backup time, for later restore. Saving an NVRAM file requires use of the HTTP file service.

Backup with vTPM

To back up a vTPM enabled VM, follow these steps, as in the sample code below.

  1. Back up the keyId and encryption.bundle of the source VM from configInfo.
  2. Back up the vTPM device of the source VM from configInfo.
  3. Back up property firmware of the source VM from configInfo.
// get source VM config
VirtualMachineConfigInfo sourceVmConfigInfo = ... ;
// save keyId
CryptoKeyId keyId = sourceVmConfigInfo.getKeyId();
// save encryption.bundle, which is in extraConfig
List<OptionValue> extraCfg = sourceVmConfigInfo .getExtraConfig();
// save firmware
String firmware = sourceVmConfigInfo.getFirmware();
// save vTPM device
VirtualDevice vtpmDevice = null;
for (VirtualDevice virtualDevice : sourceVmConfigInfo.getHardware().getDevice()) {
   if (virtualDevice instanceof VirtualTPM) {
      vtpmDevice = virtualDevice;
   }
   // save other devices
   // ...
}
// save nvram file
byte[] nvramByteAry = vsphereFileServiceClient.download(sourceVmNvramFilePath);

Restoring With vTPM

To restore a vTPM enabled VM, follow these steps, as in the sample code below.

  1. Configure a VM with the same keyId and encryption.bundle as source (requires same KMS).
  2. Make sure an encryption storage policy exists and is assigned to the VM. See "Create an Encryption Storage Policy" in the vSphere Web Services SDK Programming Guide.
  3. Configure this VM with the same firmware property and vTPM device as the source VM.
  4. Restore NVRAM using HTTP service. Again, see section "HTTP Access to vSphere Server Files" in the vSphere Web Services SDK Programming Guide.
// create configSpec for VM to be created
VirtualMachineConfigSpec configSpec = new VirtualMachineConfigSpec() ;
// set keyId
CryptoSpecEncrypt cryptoSpec = new CryptoSpecEncrypt();
cryptoSpec.setCryptoKeyId(keyId);
configSpec.setCrypto(cryptoSpec);
// set encryption.bundle
configSpec.setExtraConfig(extraCfg);
//
// set PbmProfile for encryption
// For complete code, see Example: Java program to set storage policy for encryption.
// public class CreateVMEncryptionProfile extends ConnectedServiceBase {
// private PbmServiceInstanceContent spbmsc;
// private String profileName;
// ...
// for (PbmCapabilityVendorResourceTypeInfo vendor : vendorInfo)
//    for (PbmCapabilityVendorNamespaceInfo vnsi : vendor .getVendorNamespaceInfo())
//       if (vnsi.getNamespaceInfo().getNamespace().equals("vmwarevmcrypt")) {
//          encryptionCapable = true;
//          break;
//       }
// ...
// set firmware
configSpec.setFirmware(firmware);
// set vTPM device
VirtualDeviceConfigSpec vtpmDeviceConfig = new VirtualDeviceConfigSpec();
vtpmDeviceConfig.setOperation(VirtualDeviceConfigSpecOperation.ADD);
vtpmDeviceConfig.setFileOperation(null);
vtpmDeviceConfig.setDevice(vtpmDevice);
configSpec.getDeviceChange().add(vtpmDeviceConfig);
// set other properties and then create restore VM
// ...
// upload nvram
vsphereFileServiceClient.upload(restoreVmNvramFilePath, nvramByteAry